As corporations, in general, continue the trend of embracing technology more readily, this has catapulted the field of third-party vendor risk management into the limelight of the risk management space. Increased data privacy and management regulations like the GDPR, CCPA, and PCI have made data security concern for even small family-owned businesses that previously may not have been overly concerned with information security. Those same small businesses are now exponentially more likely to have a large number of third-party vendors due to the advent of infrastructure and software as a service as well as an increase in cyber risk due to the same factors.
With so many competing interests for the time of risk management personnel, how can you determine where to place your emphasis for the greatest effect? We’ll highlight what we feel are 5 of the top vendor risk management challenges and provide some tips on how to overcome them.
5 Key Vendor Risk Management Challenges
Focusing on Critical Vendors
Your security posture should place a heavy emphasis on vendor risk assessments as an integral component of your vendor risk management program. This focus on risk assessment should be dialed in to highlight your critical vendors specifically. Criticality is a function of the vendor’s effect on your business continuity should they suffer a data breach or be unable to fulfill their obligations to you. These vendors should not simply be forwarded a questionnaire that is briefly reviewed, filed away, and then ignored for the next 6-12 months.
As we mentioned above, the increase in technology and cloud-based vendors has had a correspondingly significant impact on the number of critical vendors even for small to medium-sized businesses. This means that now more than ever, the sheer quantity of critical vendors requiring an increased level of due diligence and continuous monitoring is at an all-time high (we’ll mention more on that shortly). This makes it even more important that you accurately assess your third parties for criticality early on.
Complexity in Vendor Networks
As decentralized business models continue to gain popularity, we’ve seen a marked increase in highly complex vendor networks as time goes on. Deloitte Global has released research that shows over 70% of corporations have detected an increase in third-party risk, and they feel unprepared to adequately manage that risk. Each of your vendors has its own subcontractors and vendors, and they in turn have yet another layer of vendors. This risk poses a serious threat especially when those Nth party vendors may be handling your sensitive data. It’s no surprise that risk assessments must now take into account fourth parties and further down the chain when trying to determine true risk metrics.
This is why many companies have found peace of mind in turning to other agencies for 3rd party assessment services. Especially in fields where regulatory complexity is a matter of routine, looking to risk management industry experts can free up valuable time that your staff can spend elsewhere. There are even companies that offer enterprise security threat levels or scorecards that can track a vendor’s perceived risk in the present threat landscape. There is no perfect answer, but recognizing and addressing the increased complexity is key to successful whole enterprise risk management.
Zero Trust Implementation
To combat cyber risk, many companies are contemplating a shift towards true zero-trust implementation. This is absolutely the right choice, but misconceptions about this policy and its efficacy can lead to wasted time, effort, and the risk of not meeting expectations. It’s important that your stakeholders realize that zero trust is not a magic potion, and that true zero trust is impossible to achieve; it’s more akin to a sliding scale than a light switch.
Focusing your network and information security teams on zero trust policies should start with incremental build-outs. Phasing in these changes allows for proper testing, feedback, and adjustment cycles before moving on to the next sector. This also encourages network segmentation which is a significant component of zero trust protocols as well.
Long-term Inaccuracy of Point-in-time Analysis
Self-reported questionnaires are probably the least accurate form of risk assessment and barely check the box for due diligence. They fall even farther when applied as the sole means of conducting “continuous monitoring.” Even a review of financial statements and other reporting documents only provides a view of a snapshot in time for the entity that they are describing. Events occurring immediately after preparation can be easily concealed from reviewers until the next preparation period.
That’s why continuous monitoring needs to be a much more proactive endeavor. Tracking neutral source security ratings, monitoring dark web and surface web traffic, and conducting onsite visits or penetration testing are all methods that can be enacted depending on the level of risk posed by the vendor and the available resources. This is again where vendor risk management experts can be utilized on a contractual basis to act as a force multiplier for your own team.
It’s easy to see how even the most robust TPRM team can become bogged down in the minutia and overwhelmed by day-to-day tasks. There is no sign that the reliance on third parties is going to decrease anywhere in the near future, and in fact, the opposite is true. As we mentioned above, IaaS and SaaS have only increased the pool of potential vendors as well as the number of highly critical vendors for both risk and business continuity.
No one has an unlimited supply of capital or an infinite number of risk management employees to manage all of the moving parts. Risk assessment, contracting, onboarding, continuous monitoring, and offboarding all require a hefty amount of work hours if they are taken seriously and all performed manually. Automating parts of that process is another way to reduce the strain on your staff. There are several vendor management programs that have automated functions and some that have even integrated artificial intelligence and machine learning. When flags in the system are reviewed and addressed by vendor management personnel, this setup can pay dividends.
In vendor management there is no one size fits all solution. Just as each business has a unique risk appetite, so should they customize their approach to third-party risk management. Venture Lynk can provide you with a wide range of VRM Services from vendor risk assessment all the way to whole vendor management programs from within your enterprise’s own portal. These services can be customized for businesses as small as a mom-and-pop operation up to large international corporations.