Massive Risk and Limited Resources; What’s a Vendor Risk Manager To Do?

If you are responsible for cyber security risk management in these times, you are certainly being faced with almost overwhelming challenges. In addition to the security controls in your own environment, most companies are outsourcing and leveraging dozens of vendors and software solutions to get the job done, working to continuously produce in our frenetic business world. It is hard to get management to fully acknowledge and support cyber security issues because of the complexities of determining ROI on security control investments. Looking at all of this together is truly enough to keep you up at night and frustrated during the day! I mean, really, how can people still be having difficulty understanding how immense our cyber security risks are? When every day brings news of a breach that came through a vendor, a cloud service that exposed customer information, or a political factor scavenging across the internet for money and intellectual property, it really is obvious how important this is, isn’t it?

We can start to find hope of creating awareness of our security situation and what to do about it by finding mentorship through good information and a constant desire to take action!

Let’s look at how to handle some of these risk management challenges through the assessments, mitigation strategies and awesome ways of visualizing information that are available to us these days. We can start with data from assessments based on one of the great security frameworks out there like NIST 800-53, ISO 20071, PCI-DSS, HIPAA, etc. Then we can utilize the knowledge and wisdom of PhD-level teams of analytics and security professionals working on portfolio-wide risk management strategies in the world right now. Leveraging what they discover using security control scores, kill chain analysis, and threat intelligence we can take this data and make prioritized lists of mitigation asks of ourselves and our vendors to improve our joint security posture. By prioritizing across these criteria, we can reduce risk without breaking the bank trying to implement every possible security control to cover every possible circumstance.

Let’s break all that down into some actionable steps that you can take with the right tools:

  • Choose some questions to gauge the overall criticality of your security control families. Augment those questions with some pre-assessment vulnerability scans and then include some analytics across the threats facing your industry.
  • Do a good assessment internally that is standardized enough to do analytical comparisons across both the assessment answers, comparatively across your industry, and finally across the ecosystem that includes you and the vendors you use.
  • Rank risks based on sub control implementation, number of high risk areas, industry threats, and competencies across areas like data loss protection, access management, or endpoint protections.
  • Develop prioritized mitigation strategies that get the most coverage of security controls across the highest risks, both within your company and across your vendor ecosystem.
  • Communicate those mitigation asks to your leadership and to your vendors in a way that promotes joint ownership and overall improvement in the security posture of all parties.
  • Do a cost/benefit on how many things get fixed by fixing one sub control. Explore tools to create awesome visuals to help people understand ROI in terms of security, reputation saving and fine/damage repayment avoidance.

If you trust the processes and technology currently available, you can start working with well thought out risk frameworks, analytics, and industry threat information right now. Using that intelligence, you can prioritize your mitigation based on these data driven models and you will succeed in solving for most of the risks found in our virtualized, cloud driven, and interconnected world!

Work with management now to get the ball rolling:

  • Do the pre-assessment work of categorizing risk
  • Take a good assessment
  • Take the assessment data through thorough analytics and threat analysis based on the industry you are working with and use it to create amazing visualizations and easy to follow trend graphs. Use those visuals to demonstrate both the need and your concern and care for resource allocation to your management team.
  • Write proposals based on the assessments. Use them to back up your requests for resources.

To get what you know your company needs to stay secure and not experience breaches that result in money, intellectual property or customer data loss, you need to connect the dots for your leadership team. Helping them to realize how important it is to allocate time and money to implement new security controls is part of the job! Backing it up with good assessments, analytics and threat intelligence is how you can show your skill. Then you can get your leadership to buy in to control implementation that will have you happily implementing security as much as you are analyzing it now!

 

RAVEN AGAPE

THIRD PARTY RISK SPECIALIST – SME SECURITY CONTROLS

Leave a Reply