We have all heard about many security breaches, availability impacts or service level failures that were later found to have a root cause of a third party provider or one of their sub-service providers. Understanding the root cause and/or adjacent causal components of these types of patterns will set the stage for why vendor risk management is such a crucial conversation.
Like many businesses, you probably have or at least are considering outsourcing some component of your enterprise to someone that is more specialized or has a higher capability (experience, resource strength, capacity) in that area of business. For example payroll, client billing, firewall management, security operations, incident response, server patching and mobile device management. With these decisions comes some amount of risk.
Quickly, it is EASY to point out that a specialized company (i.e. a global payroll company) will be more efficient at keeping up to speed on global tax and regulatory landscape, have better bench capacity to absorb unexpected sick time and weather events, along with many other key benefits of outsourcing to “the experts”. However, it is equally important to recognize the lack of visibility into their business and security operations and, potentially, into their sub-service organization’s risks.
A risk based approach to enterprise security must encompass vendor risk management as vendor risk is a key aspect to the overall enterprise risk management program. Each supplier can introduce various risks to your business strategy that may include reputational risk, financial harm, legal impacts, and much more. Remember: third party weaknesses may become the cause of your next impact.
So what is your risk appetite? What is your process for performing an appropriate due diligence on vendors before purchasing services or products? And do you reassess during the engagement or life of the contract? Do you have appropriate contract language to ensure the vendor secures the processes they use to store, process, and handle the data you may need to entrust to them? Does that vendor have a SOC-2, a Service Organization Controls report that provides detail information on an organization’s non-financial reporting controls such as security, availability, confidentiality, and privacy? Should we start looking at fourth party risks such as your third party supplier’s third parties?
My philosophy is that a tight integration between a corporate procurement organization and enterprise risk management organization is key. Depending on the size of your organization, procurement may be a large team or an “other duties as assigned” to someone. Either way, procurement is usually a part of the finance organization. As such, enterprise risk management may also be a large team, a committee, or even an “other duties as assigned” task. Often, I see overall enterprise risk management as part of legal, security, or business administration.
Where risks are managed and processed is really up to your company. However, no matter the maturity or size of your company and these processes, it is key to consider segregation of duties between the buying arm(s) and the risk management arm(s). This segregation of duties is important – but tight collaboration and integration is also very important.
Vendor risk management, as a component of enterprise risk management, should be capable of assessing the risk of doing business with the prospected supplier. This would include the supplier’s capability for maintaining the same (or better) security posture as your organization is currently able to deliver. Do you have the ability to maintain a measurable/repeatable process for ensuring all of the appropriate supplier due diligence is collected, reviewed, and documented? Is it in a standard tool/process?
For many of NTT Security’s high risk vendors, I request a copy of their recent SOC2 report. I read the entire report but I am particularly sensitive to the following areas:
- Description of systems or services. Is this report applicable and describing the system or services that I believe we are buying from this organization?
- Company overview. Is this company structured in a manner that I feel is appropriate for our ongoing strategic relationship?
- What controls are in place and do they meet or exceed the controls posture that I would have in place if I managed this system with internal resources?
- Complementary user entity controls. This is a big one, in my opinion, but I often see companies miss this section. It details the controls that the buyer is required to establish as their internal controls or procedures to complement those of the supplier.
- Tests of operating effectiveness. I review these sections to look for two types of items. What tests were performed to validate the controls AND what were the findings of these tests? Can I learn anything about how to better test my own environment? Can I implement any of these controls in other products or services that are delivered by an internal team? The applicability of this will vary based on the type of industry you are in.
Once you have implemented a vendor risk strategy, completed your due diligence of a supplier, ranked the risk or risk categories of the supplier, it is then up to your legal and compliance teams to ensure you are managing, accepting, or deferring these risks in your contract review stage.
Lastly, my recommendation is to have processes in place for ongoing monitoring of the overall program. Have any products, services, recent events, or other strategic guidance changed that may impact the risk rating that was previously applied to a supplier? Has the supplier changed their controls, services, or had an incidence that would suggest that you reconsider previous risk assessments?
Leveraging something similar to the Plan-Do-Check-Act (PDCA) cycle will help ensure that changes to your business risk appetite, business processes, or changes at your supplier’s business will not have a negative impact to overall enterprise risks. Several techniques, for monitoring your program, include:
Review initial evaluation
- What has changed since the last review or initial evaluation?
- Was the previous assessment correct?
- Have assumptions changed over time?
- Has the supplier met their SLAs/SLOs?
- Has the supplier met the needs of the business?
- Has strategic business direction (for either you or the supplier) changed?
- Quality control metrics.
- Availability, reliability, performance of vendor.
- Surveys/questionnaires of internal users of the supplier’s products or services.
- Financial cost/market analysis.
- Comparison to current industry norms.
In conclusion, your security program and enterprise risk management program(s) are only as strong as your weakest link. Focus on a risk based approach to manage your most critical vendors, your highest risk areas, and above all else build processes that increase collaboration both internally with the various business partners as well as externally with your key suppliers.