Since I started working in information security 16 years ago, I’ve never run across a company that doesn’t outsource some IT services. Many young companies I come in contact with today are all-cloud, with nothing in the office but a network switch and firewall/router. That’s if there is an office – I work with some virtual organizations that work entirely remotely.

That’s an awful lot of trust to put in their party providers. Is it misplaced?

A 2018 study by the Ponemon Institute reported that “fifty-nine percent of respondents confirm that their organizations experienced a data breach caused by one of their third parties, and 42 percent of respondents say they had such a data breach in the past 12 months. Additionally, 22 percent of respondents don’t know if they had a third-party data breach in the past 12 months.” Just for US companies, the percentage of companies whose vendors breached their data was 61%.

So you’d think organizations would care about this. I see two groups. As a virtual CISO, most of the companies I’ve served had no formal vendor risk management program, and the smaller the company, the less likely they even knew they could ask about security risk. As a member of several professional peer groups, it appears that my peers who are full-time permanent CISOs do run mature third-party risk management programs, but these are typically more prominent organizations.

Yet conversations about how these are run lead me to conclude I disagree with their objectives and approaches. And perhaps that’s a reflection of one of my earliest experiences on the other end of the assessment – as the vendor.

My First Taste of Vendor Risk Management – As a Vendor

In my early days as the head of information security at a large commercial real estate firm, customer due diligence questionnaires on security were 10-15 questions long. Most customers didn’t ask – they simply put their security requirements in the Master Service Agreements. The big shock came when a potential customer – a large investment bank – was considering us for management of its properties worldwide, and they were coming on-site for three days of questions, first on our practices and then for an inspection of our data centers in two cities.

Their first question was, “How do you assess the security qualifications of your vendors?” Our response was that we reviewed the SOC 2s. The assessor’s response was, “And you believe that crap?” It went downhill from there. Although we got the contract, the experience left me with my first impression of third-party risk assessments: Beat them seriously about the head and shoulders and identify every possible risk in their handling of your data.

Remember – Vendors Are Critical to the Success of the Business

One of the most important values to keep as a leader of an information security function is that we’re here to enable the business. To do that, we have to understand the business and every function that makes up the organization. Thinking about some recent and current clients:

• An early-stage biotech outsourced lots of IT, some of its early research (some to China!), and all of its clinical trials. Why? They could not afford to do all the research in-house at current scientist salaries, run all of the IT services at costs below cloud service prices, and operate with privacy practices that meet HIPAA requirements. Their startup funding simply couldn’t afford that. So, their strategy was to outsource certain investigation to contract research organizations (CROs), which they chose wisely.
• A private equity firm outsources industry research and industry-specific consulting services because those outside firms have knowledge that the company could never afford to develop in-house. Making sound investments and timing divestments well depended on it. The firm chose carefully and established good working relationships.

The key lesson: They loved their vendors and didn’t want the third-party risk assessment process to damage the relationships – or the potential relationships for candidate vendors. So why should we make it complicated?

Help Vendors Reduce Risk

We’re here to enable business, and if a vendor otherwise brings low business risk and low risk of failure to perform, we should work to reduce information risk, not raise red flags. Consider the following practices:

• Pick a good industry-recognized questionnaire, and help the vendor if they don’t understand a question or how it relates to the proposed service.
• Interpret results in the context of the service provided and the sensitivity of what they’ll access. So, a vendor’s SaaS offering suffers DDoS attacks regularly, but you’re going to run their application in-house, so what does that matter?
• Scale appropriately. Small consulting teams with no technology infrastructure warrant a simpler set of questions about “table stakes” – anti-malware, patched laptops, email protection, multi-factor authentication (MFA), laptop encryption, and social engineering training. Simplify the questionnaire, or maybe just give them guidelines.
• Develop your internal report guided by questionnaire results, discarding issues and bad answers that don’t matter to the business, and set your assessed risk accordingly. If you use a third-party vendor risk management service that gives you a canned report, interpret it for the internal client so the irrelevant issues get little weight. Either way, give the vendor relationship holder a bespoke risk rating and explain what’s relevant to them.
• If the business really likes the vendor, act like a consultant. Arrange to meet with the vendor to suggest ways in which they can improve their practices at a cost that they can live with. Young and aggressive companies like young vendors with fresh methods, so help these young vendors develop by giving them advice that can improve their practices for all their clients and prospects. Or, find ways to build compensating controls into your own practices.

Run your third-party risk management process as a service to the organization, not as an obstacle to business and not as an obstacle to good vendor relations. Your internal clients will love you for it. If you would benefit from guidance on third-party risk management, contact us.

1 Data Risk in the Third-Party Ecosystem: Third Annual Study, Ponemon Institute, 2018