Figure 1 - C2 Cyber’s Taxonomy of Good Vendor Risk Management
Suppliers versus Projects
Many people see 3rd party risk as a characteristic of the supplier. We feel this is a simplification that actually makes the task of VRM more complex. The risks are not defined by the supplier; they are defined by the project, product or service that the supplier is delivering. Sometimes a supplier will only deliver one product or service but not infrequently they will deliver more than one and the context of each project is likely to generate a unique set of risks. The volume and sensitivity of the data in scope will affect these risks; a consultancy project will have very different risks to one where proprietary software is delivering the service; the region or division of the supplier that is delivering the project will frequently operate in different ways to other parts of their business. For this reason, we focus on Project Risks, where the inherent severity is defined by the context of the project.
Submissions and Findings
We rely on a lot of evidence that is provided by the suppliers in their submissions. We have put a lot of work in to help the supplier provide this information as efficiently as possible, and have built analytics to draw confidence estimates from their responses. This evidence will include answers to specific questions, as well details of certifications, evidence of relevant policies and other project documentation. We use this information to generate findings, each of which describes a discrete vulnerability or hazard that could aggravate a risk. Findings are the things that can be improved or remediated. They include a description of the vulnerability, examples of the impacts that could occur, and recommended actions that could reduce the vulnerability. Findings are initially created by our platform by applying our growing knowledge base of analytics and automations to the evidence submitted. Once generated they are then reviewed by a security analyst to confirm they are relevant to a project, and new ones defined in situations that have not been seen before. Findings inform Residual Risk.
Open Source Intelligence and Risk Indicators
Pieces of data and information related to a supplier can be found all around the internet for all to view. This data may be contained in DNS records, in the services and websites that are accessible from the internet, across social media, and in many other places. When analysed it can be used to generate Open Source Intelligence. We believe that Open Source Intelligence (OSINT) has a vital place in understanding risk, but cannot be relied upon on its own. It offers a level of independence that can validate or challenge the responses provided by a supplier. It can also provide more continuous monitoring than the periodic submissions that vendors will be asked to make. However, it doesn’t provide a complete picture that a more comprehensive evidence based assessment can. You are unlikely to find evidence of the internal governance, accountabilities and processes that a business operates. We use the OSINT collected from a broad range of sources to generate Risk Indicators, providing an explanation of how these indicators can be interpreted. Risk Indicators complement Findings in informing Residual Risk.
While the inherent risks to a project are defined by the project’s context and characteristics, the residual risk indicates how successfully it is being mitigated. With little or no mitigation the residual risk will equal the inherent risk. With addition controls the residual risk will progressively reduce. The severity of an individual residual risk is calculated by analysing the number and criticality of Findings raised from the Submissions, supported or challenged by the Risk Indicators from the Open Source Intelligence. The overall Residual Risk for a Project, which is an aggregation of the individual risks, can help to prioritise attention that each project should receive.
Decisions, Actions, Collaborations and Closure
What we have described so far delivers little value though. It is only by prioritising issues and resources, acting on findings, collaborating across the business and with the suppliers, and closing down vulnerabilities that the overall business risk can be reduced to a tolerable level. We believe this is most effective if all business stakeholders are operating from a common view of the situation, with clear linkage from evidence through to recommended actions. This demands a secure environment that enables them to also engage in dialogue with the supplier stakeholders. This dialogue should enable issues to be addressed in parallel at their own pace, because some will be easier to resolve than others. It should stimulate open discussion, confident that it is only accessible to those who need to be a part of it. My maintaining an audit trail, findings can be retired and residual risks reduced as remediation requests are closed, and a record of all these actions can be maintained for posterity.
Managing the Black Swans
There are some in the security community who believe traditional risk management is ineffective because many of the incidents are unpredictable. It is true that there will always be things that go wrong that were not foreseen or could not have been predicted. But we believe that done well, the act and behaviour of mature risk management creates a culture and discipline which is more likely to increase security and resilience overall. And if there are fewer incidents that were predictable, then the business should have greater capacity to cope effectively with those that could not have been foreseen.