As cyber threats become more sophisticated and complex, businesses need not only to ensure they are secure, but that their vital partners, suppliers and vendors are protecting themselves as well. According to the 2015 Verizon DBIR, 70 percent of observed cyber attacks involved a secondary victim. To avoid being blindsided, organizations are beginning to monitor the security of their third parties to reduce the likelihood of a data breach.
Gartner estimates that around 10 percent of companies have formalized IT risk management programs, but that the figure will grow to 40 percent by 2018. If you’re just beginning to implement a vendor risk management (VRM) program, BitSight Technologies has identified 10 frequently asked questions to help you get started.
Implementing a VRM Program
Click through for answers to 10 questions organizations frequently ask about vendor risk management programs, as identified by BitSight Technologies.
How long does it take to implement a VRM program?
This, of course, is variable. The first step you’ll want to take when developing a vendor risk management program is to create a strategy. Once you have that in place, you can determine which method(s) you’ll use to monitor your vendors’ security positions. You have to determine which of your vendors present the most risk — in other words, which vendors have access to the most sensitive data — so that you can prioritize which vendors need monitoring based on level of risk. If you have a thousand vendors, but only 10 have access to your network or other sensitive information, you’re going to want to know that.
This process, albeit critical, isn’t easy or fast. If you’re the person tasked with creating a list of these vendors, you’ll have to first find the lists (keeping in mind that there are probably many lists throughout the organization), and then figure out how important each one is. You typically base this on conversations with different departments, or by researching what the vendor is actually doing for you. This process could take weeks or months.
After you’ve created your strategy, you’ll need to review your existing contracts. This is a very lengthy process — it can also take weeks or months. Questionnaires can take a large chunk of time as well — you have to develop one (which can be done in-house, through a consultant, or via an option like Shared Assessments), send it to your vendor, give them time to fill it out, and then review it. Once you’ve sent it to your vendor, you can give them a time frame for completion, for example two weeks or two months.
Should I do questionnaires? If so, when should I send them out, and how often?
A questionnaire is a great way to get a sense of the security measures and protocols that your vendor has in place. These surveys can vary in length dramatically — some could be 10 questions, a hundred questions, and others several hundred. The length of the questionnaire and depth of the questions will have a lot to do with the risk that the vendor poses. Pretend for a moment that you are Coca-Cola, and one of your vendors has the secret formula for Diet Coke. You’re probably going to want to ask that vendor a ton of questions to ensure that the formula is secure.
The optimal time to send out a questionnaire is when you’re on-boarding a vendor. Frequency after that is variable. Some companies opt to send shorter questionnaires annually (in an attempt to follow up), while others simply ask that vendors send any important changes to their IT department. Either way, you’ll want to be updated if your vendor makes a large change (for example, if they stopped doing an important function in-house and decided to outsource to a third party).
Do I have to implement a VRM program for all of my vendors or just the most critical?
If you have unlimited resources to spend on a VRM program, you can go ahead and monitor every single one of your vendors. But that’s likely not your scenario. So, most organizations should start by monitoring the most critical vendors. In order to do that, you’ll need to prioritize which vendors pose the greatest security risk. This is where most companies get into trouble, so don’t underestimate the importance of this step.
Take Target, for example. They probably had a VRM program before their infamous 2013 breach, but it seemingly didn’t include the HVAC vendors. What they didn’t take into account was how much access they had actually given this particular vendor. Because the vendor had a great deal of access, that made the vendor critical. Let that be a lesson; it’s not just the sensitivity of the data that a vendor has access to, but the amount of access they have in your network as well.
How much will I need to work with our legal counsel to develop a program? Aren’t my vendors legally obligated to share security information will me?
One of your legal team’s main priorities will be to establish a disclosure obligation with your vendors. Pretend once more that you are Coca-Cola. If your vendor is breached and they lose customer data or other sensitive information, there are laws in place to protect the customer – in other words, you are legally required to tell a customer if their information – like their credit card number – has been compromised. But what happens if one of your vendors is breached and Diet Coke’s secret formula has been compromised? Are they legally bound to tell you, Coca-Cola? No; unless they have a legal obligation to do so, that is.
So, you can see how important it is to have your legal team intimately involved in the VRM process. You need to be sure that your vendors are legally bound to inform you if an incident that affects your security position takes place. You are also able to tell your vendors how secure you want your data through your contracts. And, if they don’t comply, you’ll be able to take legal action against them.
What standards should I have my vendors meet? How do I know they’re meeting them?
This is almost entirely dependent on the industry that you work in. If you’re in the medical field, you’ll want to ensure that your team is HIPAA compliant; if you’re in the financial industry, you’ll need to ensure that you’re meeting OCC guidance, PCI compliance, etc.
To ensure that your vendors are meeting standards, your lawyers and IT department will work together to determine:
- How sensitive the data is.
- What standards your industry dictates your vendors must meet, and what company standards you’d like them to meet.
- How to determine if they’ve met those standards.
All of this comes down to the issue of continuous monitoring. Until recently, it was nearly impossible to monitor vendors in real time from outside of their network. Unless a vendor actually let you come on-site and watch their network directly (unlikely), you’d never be able to know what was going on.
What’s the average size of a VRM program? How many people do I need internally?
Regardless of the size of your organization, you’ll need someone (or several people) to monitor your VRM program. Your company’s third-party risk exposure will determine whether this is one person’s part-time job, one person’s full-time job, 10 people’s jobs or dozens of people’s jobs.
Who should my main contact be with my vendor?
You should expect to have one individual at your vendor’s company who is in charge of managing the risk to your organization’s data. This person should be your point of contact if there is ever a problem and should be able to easily obtain relevant and important information at any point. He or she could be a lawyer, an IT security person, the chief information officer, or any number of people depending on how the company has decided to organize itself. You should be able to rely on this person to get all of the appropriate people together should a problem ever occur. This person should have specific insights into IT operations, security components, and elements of your contract.
When should I go on-site to meet with my vendor?
For some vendors, you can do business all in writing, though many require phone conversations (desk assessments). Depending on the strategic nature of the relationship and the goods or services delivered, on-site visits may be warranted, both during vendor selection and for ongoing relationship management. According to the OCC, “On-site visits may be useful to understand fully the third-party’s operations and capacity.”
The important thing here is to make sure you are focusing your scarce resources and travel budget on visiting those vendors that are most strategic to your business and/or have the highest levels of network access.
Why aren’t penetration tests or questionnaires adequate?
Penetration tests and questionnaires, while helpful, do not provide real-time insight into the actual network security posture of your vendor. With continuous performance monitoring tools, that problem is solved.
Is VRM actually important? Is anyone else actually doing this?
Not everyone is doing it yet, but many are. Some organizations, like the financial sector, have been monitoring vendor risk for a very long time. There are two factors to keep in mind here:
- The regulatory environment is changing, and more and more, regulators are recommending, and in many cases requiring, VRM programs.
- As more companies identify third-party risk, in part due to recent highly publicized breaches, they’re placing more focus and resources in developing VRM programs. In a way, everyone is a third party to somebody else. Even if you’re not monitoring your vendors, you can be sure someone is monitoring you. With the risks that are present today, everyone is asking their vendors about security posture.
The bottom line is that vendor risk management is both important and necessary.