You may have already asked yourself ‘How to implement a VRM programme?’ Here you will find out how to implement it quickly. An effective VRM programme must take into account many different factors and risks which can be associated with cybersecurity, commodities, service providers and infrastructure, as well as compliance. Not only is this resource intensive, this process can also prove to take a long time. This article will provide a step-by-step guide for creating a sustainable and scalable vendor risk management programme.
Step 1 - Create the foundation
The best foundations here are built from people, and those with experience and skills in the area of risk you wish to manage. Using information security as an example a VRM programme needs to ensure that it has access to relevant and contemporary skills in the areas being assessed. There are several ways this can be done, internally by building a team, using consultants, using Security Rating services and by contracting a managed service to implement your VRM programme. In order we’ll cover the advantages and disadvantages of these options.
Build an Internal team you’ll need to build a team out of personnel who can provide a good mix of experience and knowledge. This will mean that your team will have the intelligence it needs to be effective.
As well as choosing the right personnel, your company should also develop a strict set of policies and standards that govern acceptable levels of vendor risk, in order to remove subjectivity from the assessment and procurement processes. Internally, your company should develop policies regarding reporting and decision making.
However, building a team can be time-consuming. At C2, we have a team of security analysts with a wealth of experience in this area ready to help your company. Thus, you will be able to save your money and your time.
Use a Consultancy House
Often an enterprise will have retained consultants helping with business change and ‘transformation’. With an existing contractual relationship they often present an easy way to ‘do something’, but often the solution delivered is by inexpert consultants built into a group to hit a price point. The high cost of even junior consultants will prevent this team from containing enough expertise and experience, and will also necessarily involve a lengthy delay whilst they do discover, ‘storming and forming their team’ and building processes. There are good reasons to use consultants for scoping and stakeholder engagements where the client is determined to build their own internal team, as long as the cost duplication here can be borne in the early phases.
Security Rating Services
SRS platforms offer a quick and very attractive set of management information. Generating attractive downloadable files will help greatly with forward briefs to boards and seniors, with graphical presentation of risks and data being easy to consume. There are several major flaws with relying solely on these platforms, which will be discussed in a forthcoming blog from C2 (watch this space). In essence, they can only see risk factors visible externally to the organisation, because they rely solely on OSINT to deduce security posture. OSINT is critical to a successful VRM platform, however it’s only 5-10% of the information you need to evaluate a Vendor. Internal measures, policy validation and a process of proactive remediation management is needed to deliver the other 90%!
Specialist Vendor Risk Management Provider
There are several specialist VRM providers globally, of which C2 Cyber is one. These providers merge some onboarding consultancy, significant OSINT resources and human analysts evaluating internal data from vendors/suppliers. The best provide secure portals for clients and suppliers, containing useable dashboarding, secure messaging (keeping security data off email!) and action management to ensure remediation obligations are monitored collaboratively by the provider (C2 Cyber perhaps) the client’s VRM sponsor and the vendors themselves.
Step 2 - Discover your data
In this process, you will be identifying and examining vendors that have access to sensitive data. In order to do this, you must decide what ‘sensitive data’ means to your organisation. This can be consumer data, personal identifying information and credit card information, as well as intellectual property, commodity contracts and Due Diligence data or even trade secrets.
Once you have done this, you will need to discover where it lives and whether it is being stored outside of your organisation, cloud servers or the databases of vendors. At C2, we identify these vendors and compile a list of ﬁndings which may have otherwise taken your company a long time to ﬁnd.
Data mapping is a bespoke process that follows some fairly standard rules. It’s often been done recently for GDPR/DPO purposes, giving this programme element a headstart.
Step 3 - Assess and engage critical vendors
Once vendors with access to your most sensitive data have been identiﬁed, C2 perform risk assessments based on the third parties’ submissions (questions, policies, evidences and external data from OSINT sources to support and verify).
. Unlike other companies in this industry, C2 conduct assessments which are continuous, thus allowing your company to see a possible threat in real time. Often, vendors are unaware that they were not securing their data properly and just making a vendor aware of speciﬁc issues can be enough to get them to commit to results.
This is why, at C2, we aim to establish good lines of communication with a vendor to better improve their security. In cases where a vendor is slow to respond or unwilling to change, your company can review or strengthen contractual obligations. We believe our analyst team based here in the City of London gives us an edge in forming the right collaborative relationships with vendors and clients.
Step 4 - Procure new vendors
Security ratings should be used to inform the exploration, selection and shortlisting processes in the procurement process of new vendors. Using C2 COBRA or other VRM providers platforms enables a rapid assessment of a potential vendors risk posture. Onboarding potential suppliers for evaluation at the RFP and PQQ stages can save a significant amount of distress later in the process. Once a vendor with an acceptable security posture is decided upon, make sure to build security performance requirements into that vendors contract.
There are many ways to start a VRM programme. I hope the above gives some food for thought, and since there is no ‘one size fits all’ solution we don’t think the answer is always C2 Cobra, but we think it should be and so we’re keen to hear from you.