WIXLIB

Strategically ManageVendor Risk andBuild a StrongerCybersecurity Posture

VENDOR RISK MANAGEMENT PROVIDES VALUE EVENBEFORE RISK EVENTS OCCUR. IT REDUCES THEIRLIKELIHOOD AND SEVERITY, AND IT WILL REASSURECUSTOMERS AND PARTNERS WHO WANT TOSEE YOUR RISK PROFILE BEFORE INVESTINGOR TRANSACTING.Cleverly manage those thatmanage your sensitive dataWhy does Vendor RiskManagement matter?For most modern businesses, Vendor RiskManagement (VRM) is increasingly important asthe number of cyberattacks and data breachessuffered by organizations large and small continuesto grow. These risks will no doubt continue andalmost certainly intensify in their frequency,sophistication and severity.Businesses that can’t protect their data face the prospectof losing the value they can generate from it. Worse, theyface potential financial, reputational and legal harms ifthey are breached and the data stolen, not to mention theharms done to the subjects of the data breach.Yet for all their significance, many companies remainvulnerable to these attacks. In its October 2017 GlobalState of Information Security Survey (GSISS), PwCnotes that while breaches have become morecommon, “many organizations worldwide stillstruggle to comprehend and manage emerging cyberrisks in an increasingly complex digital society. Asour reliance on data and interconnectivity swells,developing resilience to withstand cyber shocks has never been more important.”1Vendor Risk Management focuses its attention onmanaging the risks emerging from third- and evenfourth-party vendors. Unlike SRM, which focuses onphysical supply chains, VRM focuses on “logical”or “information” supply chains.Critically, Vendor Risk Management is an importanttool for protecting data. As the global economy andthe companies, governments and other organizationsit comprises become increasingly digitized, we aregathering more data on customers and employeesalike – shopping histories, browsing and readinghabits, health and legal information, and more. Thisdata is a rich source of value, so managing the risksaround it is vital.2And businesses are not prepared. PwC further notesthat 44% of respondents to its GSISS survey don’t havean information security strategy in place, and 39%expect “loss or compromise of sensitive data” to be aconsequence of a successful cyberattack.2 Third-partyvendors like AWS, Google, and Microsoft offer cloudbased services that play a key role for many modernorganizations. They provide backup, storage, computing,analytics, business process automation, informationpublishing and more using consumption-based,“as-a-service” (aaS) delivery models. They also integratewith “on-premises” systems to create hybrid servicesin cases where important data, highly sensitive dataor processes must be stored or handled locally.BEING COMPLIANT IS NOT THE SAME ASBEING SECURE.It’s a model that’s only going to grow. Research byIDC found that “the global public cloud servicesmarket grew by 28.6% year over year in the first halfof 2017 Organizations not on the public cloudwill be increasingly isolated.”3 This is a slow burn –businesses have been sharing and processing datafor some time and it’s now occurring on a vast scale,which makes managing these relationships, and therisks attached to them, more important than ever.Strategically Manage Vendor Risk and Build a Stronger Cybersecurity Posture

As always, the starting point is to cleverly integrateeffective risk management practices into your internalsystems and processes. These practices should thenbe extended to the third parties that you deal with.Such measures come to the fore in highly regulatedindustries, but even in less-regulated (or non-regulated)verticals, businesses must guard themselves againstexposure to vendor-based risk.A DATA BUSINESS IS A RISKY BUSINESSCustomer data safety is a critical risk factor and if yousuffer a risk incident, customers won’t discriminatebetween your company and its vendors – they’ll blameyou. That means your reputation and finances, notthose of your vendors, will bear the brunt of the damage.This includes immediate harms – including possibleloss of existing customers, contracts and partners,legal or regulatory penalties, increased insurancecosts and a hit to your reputation – as well as theopportunity cost of future harm, as customers maybe reluctant to trust you with their business (funds,data, relationships).For example, credit services company Equifax’s databreach, which has affected as many as 143 millioncustomers, “may cost the company hundreds ofmillions of dollars and hurt its reputation for years tocome,” according to CNBC.4 Similarly, the fallout – interms of reputational and financial losses – attendingother high-profile data breaches, such as thosesuffered by Home Depot (more than 179 million5),Sony ( 99 million in losses and a 10% drop in shareprice6) and Target (nearly 300 million7), has beenwell-documented.If your business shares information with third parties,it’s vital that your risk management encompasses theiractivities too. Verizon notes in its Data Breach Digestthat to manage and control risk, “you must first assess itaccurately,” and also highlights the importance of holding“complete knowledge of all information assets”.8This includes knowledge of where, how and howsecurely they’re holding your data. Only a vendor riskmanagement program can provide you with the properoversight into your extended vendor network’s risks.If a risk event does occur, Vendor Risk Managementplays a critical role. In such events, the crisiscommunication playbook is clear: transparency andimmediacy are paramount; customers, insurers,investors, regulators and legal bodies alike allwant to know what happened and how it’s beingremediated. Effective VRM processes will helpyou gather the information you need to identifythe problem and implement a solution. Andharms may be reduced if you can demonstratedue diligence in risk management, forexample by records like audit trails andcertifications, process maps and vendorcompliance reports.But VRM provides value even before riskevents occur. In part, this is due to therole it plays in reducing their likelihoodand severity. Customers and potentialpartners are themselves becomingmore risk-aware, and may want toknow about your organization’srisk profile before investingor transacting.Strategically Manage Vendor Risk and Build a Stronger Cybersecurity Posture

What does effective Vendor Risk Management look like?Many data breaches are due to companies thinkingthat being compliant is the same as being secure.While it’s true that the two are closely linked, taking aby-the-numbers approach to compliance won’t deliverthe best results. We recommend starting with securityand risk assessments, as many security frameworksand compliance frameworks have similar requirementsand controls. This should place your organization wellon the path to compliance.It should also mean that if further measures are neededto ensure full compliance with the standards relevantto your industry, then you should have a strong base onwhich to create them.For any organization that collaborates and shares datawith third parties, third-party vendor risk managementis an essential part of an effective security andcompliance regime. The key challengesit must meet include:4 Maintaining control over customer andemployee data Building confidence that third parties aretreating data securely (including verification) Ensuring your customers trust you withtheir data Ensuring you’re not lagging behind yourcompetitors on customer data security Managing vendors and keeping the right mix(out with the old, in with the new)WITH RISK COMES OPPORTUNITYAs with virtually any aspect of risk management,there is opportunity as well as hazard. Thinking ofrisk management as simply a matter of processand compliance loses sight of the ways in whicheffective risk management can generate competitiveadvantage. In particular, third-party risk managementcan help your business take full advantage ofthe benefits, while minimizing the downsides, ofan outsourced or aaS IT business model. Theseadvantages include: Reduced risk by creating a preferred vendor list Improved time to communicate with customers todemonstrate that you deserve their trust Enhanced competitiveness: With vendors – byestablishing minimum performance requirements With buyers – by displaying proof of yourimproved security posture (certifications, etc.)Organizations that take a proactive approach tothird-party vendor risk management should findthat these advantages translate into a more stableand profitable market presence. They should also,over time, experience the benefits of improvedcustomer trust and even customer advocacy. Thisis the foundation for any successful businessand is crucial to its ongoing success.

A Five Step Process for Creating a Balanced Portfolioof Security ProductsAdapted from Forbes, “How CISOs Can Create A Balanced Portfolio Of Cybersecurity Products”, March 20170504030201STAY AGILESELECTINNOVATIVETECHNOLOGYDESIGN YOURPORTFOLIOALLOCATESPENDING FOR RISKMANAGEMENTDETERMINENEEDSKeep track of changes to your business, to the treat landscape, and productinnovations and recenter as neededFind products that will deliver the needed capabilities for the best value andinsure they have an innovative road mapDetermine which capabilities will protect and defend what you already have in placeDecide how much you should allocate to each type of risk you may encounterstarting with technologies that hold sensitive data like PIITo look beyond perimeter defense, identify the types of attacks that are most likelyStrategically Manage Vendor Risk and Build a Stronger Cybersecurity Posture5