We’re running a blog post series on the “Seven Deadly Sins of Third-Party Cyber Risk Management;” here’s the fifth deadly sin, which is not knowing your vendors.
Did you miss the other installments? Get caught up here:
- First Deadly Sin: Believing you can outsource risk
-
Second Deadly Sin: Failing to make third-party risk management about business risk management
-
Third Deadly Sin: Not measuring and reporting risk and risk outcomes
- Fourth Deadly Sin: Failure to address information security in third-party contracts
There is a reason that the first principle of the NIST Cyber Security Framework is asset management — you can’t manage what you don’t understand. That applies equally as well to third-party risk. You can only manage the risk of vendors that you know. The more vendors you know, the more you can manage, the less risk you have.
If your third-party risk program is new, you must decide how to roll-out your program to the vendor population. If your program is well-established, you must ensure that you are covering all the cracks of the organization where vendors may slip through.
For new vendor risk programs, discover and initiate management of vendors in a staged approach, rather than attempting to identify them all at once. Considering starting with covering new vendors, and then expand coverage to existing vendors through the contract renewal process. This approach provides two primary benefits. First, it gives you a natural method for growing your program over time, rather than trying to swallow the entire vendor population at once. Second, new vendors are the most motivated to comply with your risk management process as they want to win your business.
Over a matter of a few years, by managing new vendors and existing vendors as their contracts renew, you will cover the vast majority of your vendors. Then comes the challenge of digging out vendors that have slipped through the established process. We’ve seen a couple of interesting approaches here to ferret out vendors from the corners of the organization.
One company we work with conducts a monthly reconciliation of the accounts payable database against their vendor risk management database. Any vendors identified as not in the risk management database are flagged for inherent risk review and treated accordingly.
Most importantly, don’t hold off on managing third-party risk until you know all of your vendors – get going with the resources you have. Prove value in those that you manage, build the case for more resources, and repeat. Along the way, provide estimates to executive management about the population of vendors still unmanaged.
Want to read about the other deadly sins?