Vendor risk management: What to consider when shopping for a VRM solution

Vendor risk management (VRM) is not a new concept. My TechRepublic February 2016 article 5 best practices for reducing third-party vendor security risks looks at several ways to mitigate the risk of data breaches caused by third-party vendors. In that article, I was remiss in not defining VRM. Here's an excerpt of the definition from Gartner's IT Glossary:

Cybercriminals' favorite attack vector

Third-Party Vendor (TPV)-initiated data breaches are becoming the go-to-attack vector for cybercriminals. Ponemon Institute's third annual (2018) Data Risk in the Third-Party Ecosystem report adds credence to this information:

The best practices mentioned in the TechRepublic article still apply today, but cybersecurity pros now with much more experience have additional thoughts about TPV security, in particular ideas on how to use VRM to curtail that avenue of attack.

SEE: You've been breached: Eight steps to take within the next 48 hours (free PDF) (TechRepublic)

A fresh look at VRM tech

One such pro is Craig Callé, a data-security consultant and former CFO of Amazon's Digital Media and Books division. In his article Vendor Risk: The Second-Class Citizen of Cybersecurity, Callé takes a fresh look at VRM technology. Unfortunately, things look rather bleak.

"Other than in the heavily regulated banking and health care industries, vendor risk management remains cybersecurity's second-class citizen, getting far less attention than it deserves," begins Callé. "Attacks originating from insecure vendors and other third parties generate more than half of reported breaches, yet most companies under-address that source of vulnerability."

SEE: How to choose and manage great tech partners (ZDNet/TechRepublic special feature) | Download the PDF version (TechRepublic)

Why VRMs are second-class citizens

As to why VRM is not given the respect it deserves, Callé offers the following reasons:

SEE: Vendor relationship management checklist (Tech Pro Research)

What a mature VRM program looks like

There are plenty of VRM programs to choose from; that said, Callé cautions no two platforms are alike. So, when shopping for a VRM program, it is important to consider the following.

Risks covered: Besides reducing risk related to cybersecurity, Callé feels the following risk factors are important:

Process ownership: Mature programs have clear ownership of processes and VRM team members from every department that likely will be affected by a data breach.

Vendor coverage: According to Callé, companies often lack a comprehensive inventory of their vendors. He writes, "The 80/20 rule applies to vendor risk management, so the vendor list should be bucketed into tiers, with greater resources applied to the more sensitive ones."

Coverage persistence: Immature programs, suggests Callé, investigate vendor issues after-the-fact, whereas mature programs schedule periodic assessments. He adds, "It is now possible to continuously monitor the external risk factors that indicate the potential for a data breach."

Service levels: It's unlikely immature programs offer levels of service, whereas mature platforms allow the VRM team to establish service levels as needed.

SEE: Vendor management: How to build effective relationships (free PDF) (TechRepublic)

VRM using a cyber-risk rating service

Cyber-risk ratings services can offer continuous monitoring of a TPV's security. "These firms measure all the risk factors that are visible from the outside, and can even predict a data breach," writes Callé.

Some other services offered by companies involved in cyber-risk rating-like ProcessUnity, MetricStream, and the Santa Fe Group-are:

Final thoughts

Callé and other proponents of VRM consider the technology to be a competitive advantage. Another argument offered by Callé is, "Emerging technology and other resources, as well as regulations with stiff penalties, are motivating companies to give VRM the support it demands."

Also see