We wrote recently The OSINT approach to Vendor Risk management about how Open Source Intelligence (OSINT) enables a client within a vendor risk management (VRM) programme to identify areas of concern that a vendor/supplier might be asked to explain and therefore represents a key source of intelligence to support a risk management process.
However, it is important to realise that OSINT does not provide all the answers. The aim of this article is to talk about the way in which OSINT is one set of tools within an overall holistic approach to VRM and why that is important to consider when selecting a VRM programme provider.
As discussed, OSINT does support an efficient and detailed view of vendors that is difficult to do at scale without automation. At C2 we use OSINT to assess many thousands of data points per supplier, distilled into four key areas:
- Configuration of online technologies - level of maturity and public-facing security
- Email security, anti spoofing measures and DMARC - correct configuration
- Attack surface - an external hacker’s eye view
- Social measures - Customer and Employee advocacy on review and rating sites
These are typical sets of OSINT indicators also offered by Security Ratings Services and many VRM automated solution providers, but on their own they lack credibility and effectiveness:
- Limited Visibility - Fundamentally, OSINT can only see what's visible on the outside of a vendor, and rarely shows the internal architecture (unless something has gone very wrong!). It takes no account of what is actually going on within a vendor, the security culture that exists, the policies that govern it and the regularity with which those are reviewed against an ever changing risk landscape.
- Drowning in Data – Automated assessment tools can produce reams of unstructured data in either electronic or paper form that then must be digitized, parsed, structured and sanitized before it can be analyzed and mined for actionable insights. This extra step, if it’s even taken, can encumber your organization’s third-party cyber risk management process.
- Not a Level Playing Field – OSINT interrogation techniques essentially treat all indicators and vendors the same way and apply their checks on a level playing field. But the characteristics of different vendors, their impact on a company’s risk profile and therefore risk tolerance can vary hugely from vendor to vendor. Does the vendor access your data or data on your behalf? If so, how sensitive is it? Does the vendor connect to company systems, or even manage a business process for you? An effective VRM programme is about highlighting the unacceptable vendor specific risks and mitigating them and measuring everyone with the same yardstick does not do this justice.
- Risk not static and always changing – Likewise, the risk profile of a vendor and the threat landscape in general is always changing. It is essential to understand which vendors are going to need attention from different risk perspectives on a day to day basis. This need a more tailored approach than a generic OSINT approach can handle.
Ultimately, VRM is not just about measuring risk, but mitigating it and while OSINT can highlight risks it does not help to prioritise them nor to mitigate them.
In our experience, there are three other perspectives (as well as OSINT) that you should look at a vendor from in order to provide an effective, holistic VRM solution:
- Vendor-Customer context – it is essential to determine the inherent risk, with attributes such as the data types exchanged, services delivered, volume and criticality to effectively assess which risks are acceptable for which vendors and therefore prioritise mitigation action
- Assertions - Vendor responses to questionnaires tailored to the context and risk give a richer, more complete, and self-certified picture of vulnerabilities and what is going on inside the organisation
- Evidence - Reviews of evidence, site visits and audits enable an analyst to validate controls when required and to check the assertions that vendors have made.
While these are naturally more labour intensive for the vendor, they can be highly automated and achieved in an intuitive, interactive way and achieve much better results. In the long run the benefits to both the customer and vendor in terms of clarity, security, trust and a longer-term relationship far outweigh the initial workload.