Vendor risk management: What to consider when shopping for a VRM solution

A vendor risk management program could curtail Third-Party Vendor-initiated data breaches. Here's what to look for in a VRM solution.


Image: NicoElNino, Getty Images/iStockphoto

Vendor risk management (VRM) is not a new concept. My TechRepublic February 2016 article 5 best practices for reducing third-party vendor security risks looks at several ways to mitigate the risk of data breaches caused by third-party vendors. In that article, I was remiss in not defining VRM. Here's an excerpt of the definition from Gartner's IT Glossary:

"Vendor risk management (VRM) is the process of ensuring that the use of service providers and IT suppliers does not create an unacceptable potential for business disruption or a negative impact on business performance.''

Cybercriminals' favorite attack vector

Third-Party Vendor (TPV)-initiated data breaches are becoming the go-to-attack vector for cybercriminals. Ponemon Institute's third annual (2018) Data Risk in the Third-Party Ecosystem report adds credence to this information:

"Fifty-nine percent of respondents confirm that their organizations experienced a data breach caused by one of their third parties and 42 percent of respondents say they had such a data breach in the past 12 months."

The best practices mentioned in the TechRepublic article still apply today, but cybersecurity pros now with much more experience have additional thoughts about TPV security, in particular ideas on how to use VRM to curtail that avenue of attack. (Note: This article about vendor risk is available as a free PDF download.)

SEE: You've been breached: Eight steps to take within the next 48 hours (free PDF) (TechRepublic)

A fresh look at VRM tech

One such pro is Craig Callé, a data-security consultant and former CFO of Amazon's Digital Media and Books division. In his article Vendor Risk: The Second-Class Citizen of Cybersecurity, Callé takes a fresh look at VRM technology. Unfortunately, things look rather bleak.

"Other than in the heavily regulated banking and health care industries, vendor risk management remains cybersecurity's second-class citizen, getting far less attention than it deserves," begins Callé. "Attacks originating from insecure vendors and other third parties generate more than half of reported breaches, yet most companies under-address that source of vulnerability."

SEE: How to choose and manage great tech partners (ZDNet/TechRepublic special feature) | Download the PDF version (TechRepublic)

Why VRMs are second-class citizens

As to why VRM is not given the respect it deserves, Callé offers the following reasons:

  • No silver bullets: We want the "quick fix." But, Callé suggests that people and processes are the big pieces of VRM--not technology. In other words, it's not a "plug and play" solution.
  • Silos are not helpful: Company departments--especially legal, procurement, and finance--tend to operate independently, which works against securing a business's sensitive information.
  • Confrontation required: If and when a weakness is discovered at a contracted TPV, members of the VRM team and/or upper management will have to confront those responsible at the TPV.
  • Conventional approaches have limitations: Traditional vetting and monitoring tactics, such as questionnaires, penetration testing, and on-site interviews tend to be incomplete, inaccurate, and expensive, thus thought to be not worth the effort by upper management.
  • Limited pool of talent: Cybersecurity professionals are in short supply generally; professionals with VRM expertise are even more scarce.

SEE: Vendor relationship management checklist (Tech Pro Research)

What a mature VRM program looks like

There are plenty of VRM programs to choose from; that said, Callé cautions no two platforms are alike. So, when shopping for a VRM program, it is important to consider the following.

Risks covered: Besides reducing risk related to cybersecurity, Callé feels the following risk factors are important:

  • How likely is the vendor to go bankrupt?
  • What safeguards are in place to minimize loss of reputation, and prevent brand-value compromise?

Process ownership: Mature programs have clear ownership of processes and VRM team members from every department that likely will be affected by a data breach.

Vendor coverage: According to Callé, companies often lack a comprehensive inventory of their vendors. He writes, "The 80/20 rule applies to vendor risk management, so the vendor list should be bucketed into tiers, with greater resources applied to the more sensitive ones."

Coverage persistence: Immature programs, suggests Callé, investigate vendor issues after-the-fact, whereas mature programs schedule periodic assessments. He adds, "It is now possible to continuously monitor the external risk factors that indicate the potential for a data breach."

Service levels: It's unlikely immature programs offer levels of service, whereas mature platforms allow the VRM team to establish service levels as needed.

SEE: Vendor management: How to build effective relationships (free PDF) (TechRepublic)

VRM using a cyber-risk rating service

Cyber-risk ratings services can offer continuous monitoring of a TPV's security. "These firms measure all the risk factors that are visible from the outside, and can even predict a data breach," writes Callé.

Some other services offered by companies involved in cyber-risk rating--like ProcessUnity, MetricStream, and the Santa Fe Group--are:

  • Automating the VRM process, enabling companies to cloud-delivered platforms;
  • sharing vendor responses and other data among the service's members; and
  • allowing clients to access the log rating services to identify and assess risks.

Final thoughts

Callé and other proponents of VRM consider the technology to be a competitive advantage. Another argument offered by Callé is, "Emerging technology and other resources, as well as regulations with stiff penalties, are motivating companies to give VRM the support it demands."

Also see