As humans, we all have those fight or flight instincts that kick in during dire situations. In the third-party cyber risk management world, fight or flight looks a bit different, especially if you have a huge amount of responsibility and a shoestring budget. The scenario of managing a seemingly infinite amount of vendor security assessments with a finite budget is enough to immediately evoke the flight response. Your flight response may be to look up your favorite recruiter’s phone number or a job-hunting website. Boards and senior executives experience a visceral reaction each time they see a news segment regarding a breach. While stock prices don’t always fall significantly; make no mistake, people are offered the “opportunity to excel elsewhere” (i.e. let go) when it occurs on their watch.
The thought of increasing your spend on an activity that you haven’t materially been impacted by (yet) can be paralyzing; especially when considering the industry you serve. If you are in the insurance space, for example, where growth is measured in market capture of a percent, your executives will look at spend very differently than if you are in a more innovative and nascent market (disruptive with venture capital and pre-IPO valuation). If you are in manufacturing, where margins are measured using graduated cylinders, you look at every dollar.
Related: The ONE Thing All Modern Third-Party Cyber Risk Management Programs Do
Side note: Here is the skinny on ROI when it comes to managing cyber risk: It doesn’t exist unless you can find a company of a comparable size – who manages risk in the exact same way that you do – who experienced a breach or loss that you could be vulnerable to. Only then can you calculate the ROI of increasing spend on cyber risk management activities. My fantasy football group does this weekly for a few months each year and we are pretty bad at it. ROI is elusive when it comes to managing risk. It is a foolhardy exercise that rarely presents an analysis that justifies your proposal to get some help.
Let’s assume you like your boss and are convinced that the desire to do the right thing exists a.k.a. not flight. Here’s a simple way to break down the best way to spend your finite budget:
- Ask accounts payable to give you a report of every dollar spent in the last three years and to provide the commodity code associated with each AP transaction.
- Use your judgment (or phone a friend) and remove all commodities that are not related to the exchange of digital information (intellectual property doesn’t have to be digital and OEM devices should be considered if you provide an engineered solution or manufacture a product that requires a non-analog transfer of information). Examples may include direct-spend transactions e.g. stuff people buy with a corporate credit card v/s a negotiated multi-year contract.
- Filter these by commodity and spend. If you have a software vendor that you spend a million dollars with each year – ding, ding, ding – probably a good bet they are cyber-relevant. If you have a printing company that you spend the amount with, think about what they are printing. If you’re a pharmacy, that might be important….
- Analyze that list and think of the current cost of a security assessment (whether you’re doing it via spreadsheet, SurveyMonkey, gazillion-dollar GRC platform, etc..) and consider the cost/per.
- Divide your budget by the cost/per, start at the top and tell your boss what you can do with the budget allocated.
- Call me.
If you’re given a monumental task with minimal resources, your management is not yet acutely aware of the importance of cybersecurity and brand reputation. According to a Ponemon study, 53% of organizations have experienced one or more data breaches caused by a third party, costing an average of $7.5 million to remediate. What’s more, 80% of organizations believe vetting third parties is critical, yet 60% of organizations believe they are only somewhat or not effective at vetting third parties.
If you’re working on a tight budget, an exchange lowers costs for all involved. Third parties fill out one dynamic assessment that can be shared with anyone they choose while enterprises can access these completed assessments immediately and at a lower cost – saving time and money. You’ll be able to know which third parties pose the most risk to you, allowing you to pinpoint and respond to risk faster.