Orchestrating a Vendor Risk Management Symphony
Published On March 16, 2020
Blog Post by Cliff Baker, CEO at CORL Technologies
Effective vendor risk management programs require artful choreography between internal and external stakeholders, processes, and tools. Business owners and security teams must be armed with the most accurate and timely information available in order to make informed decisions and drive remediation for identified vendor security risks.
The symphony of successful vendor security risk management is not one that can be played alone or with one kind of instrument. Collaboration is necessary to bring together proven vendor risk playbooks and processes, automation and intelligence solutions, and security and compliance teams with the right blend of training and experience to achieve measurable vendor risk reduction.
CORL has had the privilege of launching and supporting over 120 vendor risk programs for healthcare entities for the better part of the last decade. We have learned that the best outcomes are achieved when organizations are able to glue together the capabilities of technology platforms like cyber risk scoring solutions and GRC platforms with dedicated teams that can evaluate, report, and realize risk reduction across their entire vendor portfolio.
I am excited about the process integrations that CORL has been able to develop on behalf of our clients with industry leading technology solutions like BitSight, RiskRecon, SecurityScorecard, OneTrust, Whistic, RSA Archer, Galvanize (Rsam), ServiceNow, and LockPath to name only a few.
These solutions can be game changers to accelerate and scale vendor security programs when integrated with the right expertise, resources, and well-designed and executed processes.
We have also learned over the years, however, that collecting vendor risk data is not enough to realize vendor risk reduction. Data may represent the individual music notes necessary to generate musical sounds, but it is the arrangement and performance of these notes that produces effective and evocative musical experiences. The performance of a well-tuned vendor security program needs to include activities such as:
- Process and information hand-offs between procurement, security, business owners, and legal
- Establishing communication protocols including escalation with business owners and vendors
- Validating vendor control data to manage vendors that respond with what you want to see versus accurate info about their control environment
- Streamlining and tailoring questionnaires based on the risk profile of the vendor and the client
- Evaluating critical security controls that may not be visible via VRM external/cyber ratings technology solutions including incident response, secure development lifecycle, sub-contractor oversight, background checks, privacy controls, and more
- Navigating legal communications with vendors including NDAs
- Investigating cyber risk alerts
- Holding vendors accountable for expectations you set in terms of remediation (e.g., timeframes for implementing key controls or getting a certification)
All too often we see VRM programs in their early stages of maturity seek to solve vendor risk with only one piece of the puzzle. This may be hiring a strong and experienced team but failing to provide them with well-designed processes or technology necessary to execute the program at scale.
Other times it may be acquiring a cyber security risk solution or GRC capability without investing in the right people and process to make effective use of the data collated in these platforms. In yet other cases the security team may be compiling compelling information on vendor risk that does not get communicated in a timely or effective way to business owners to make informed decisions on risk treatment with the vendor or product.
High-performing vendor security risk management programs are ones that can orchestrate the right people, processes, and technology to manage vendor risk at scale. I am appreciative every day to have the opportunity to work alongside many such high-performing organizations that allow CORL to compose, support, and conduct their programs to reduce and mitigate risks introduced by third-party vendors.