Taking Steps to Assess Vendor Risk

by Chris Gorsuch

Congratulations on finding your way to our little portion of the Internet.  I can only assume you are here because you want to learn more about assessing vendor risk.  Or as we at CyberGRX like to call it: Third Party Cyber Risk Management (TPCRM).

Well, have you come to the right place!

To avoid re-inventing the wheel, let’s review key points raised by past contributors to our Blog. First, your security posture relies on the security of your third parties. This is why identifying your third parties is critical. We’ve also talked a lot about the critical role inherent risk plays in helping to prioritize your third parties, because not all third parties pose the same risk and your third-party relationships evolve. Second, applying the right approach to TPCRM is a game changer – it’s the difference between simply checking a box and actually reducing risk. The right approach involves identifying, validating and prioritizing control gaps at the vendor and ecosystem level. And finally, all critical stakeholders must be involved to be successful. If the CISO and Security teams are the only ones attempting to manage third party risk, the entire organization is putting themselves at risk.

I have to admit, they did a great job summing up the problem.  If you haven’t read the articles, take a moment to do so now…

What more needs to be said, right?

If you do the items above, you will have successfully identified your exposures and assigned priorities.  You will be more informed about your third parties and the risks they introduce to your organization.  You will even know what needs to be fixed!

The next step is to truly ‘assess’ your risk.

To do that, you must internalize the facts, make a decision, commit to that decision, and follow through.  Without that, all you have to show for your effort is a list of problems and, perhaps, a game plan.  Of what value is this without the associated commitment to execute?

How do we get there?

Let’s review the steps (with a twist) …

  1. Your security posture relies on the security of your third parties
    Does your organization truly believe that your security is reliant upon that of your third parties?  You now know the scope of the problem and have a feel for the approximate cost.  Can you acquire the commitment to proceed?

  2. Identifying your third parties is critical
    Are these third parties truly critical?  You know which ones pose the greatest threat. Is your commitment to them, and their commitment to you, sufficient to weather the storm we call ‘remediation’?

  3. Not all third parties pose the same risk
    Who can you trust to address the gaps on their own?  Who will require focused attention and follow-up?  And who poses so little risk that any gaps are essentially a wish list that requires no follow-up?

  4. Relationships evolve
    Which relationships will strengthen as a result of the remediation exercise?  Which will be strained as you fight through challenges?  How will future plans be affected?  What new third-party proposal will your business introduce tomorrow?

  5. Stakeholder involvement is crucial
    Do the stakeholders in both organizations agree with the mandate to address the gaps?  Will they get behind the effort 100%; or undermine it at every opportunity?  How will natural changes in the organization affect the commitment for multi-year remediation activities?

  6. Use the right approach
    “We can’t solve problems by using the same kind of thinking we used when we created them.”  -Albert Einstein.

    For each control gap, do we understand what caused the gap and the obstacles we have to overcome to avoid repeating it?  Which problems are a result of ignorance, lack of a solution, or purposeful decisions (which we assume had reasonable justification at the time)?  Is the ‘textbook’ solution to the problem, the best solution in this case?

  7. Control gaps need to be prioritized
    Considering all the points above, take a moment to revisit the proposed solutions and priorities.  Determine what changes the organization is able to make, willing to make, and committed to maintaining.  Identify those activities which have the greatest impact and revise your plan accordingly.

Once you have done these, you will have truly assessed your risk and settled on an approach worth pursuing.  Now you just need to see it through.

Good luck, my friends.

Chris Gorsuch
Manager, Assessment Services