Vendor Risk Management in 2019: How To Maximize Your Assessment Budget

by Gary Phipps

You’ll never guess what happens in 2019!!!

As a matter of fact, it will probably be very similar to what happened in 2018 and the years prior.  Cyber breaches will abound; a couple of big ones, some smaller and tons that will never crawl across the most southerly real estate of any web page you will visit. Board members will slam their fists defiantly against their (insert whatever board members slam their fists against) and utter oaths invoking power and committing that cybersecurity is the number ONE initiative for 2019.

What may change in 2019 is your budget.  It’s likely your leadership will allocate more budget to their Risk and Information Security offices, but it won’t be near enough to identify every possible risk and scenario; particularly where the expanded digital ecosystem exists.

Download Now: Vendor Risk Management Guide

Cybersecurity is difficult when you’re accountable for your own side of the fence; not to mention your vendors’, partners’, affiliates’ and portcos’…fences.  The budget will never be enough unless securing your ecosystem is your company’s core business.  If it is, you’re not in business…. for long.  Once you’ve accepted that you won’t be able to assess every single vendor, the business of developing a risk-based approach to this seemingly insurmountable task can begin.

My recommendation for 2019 is to take part of your cybersecurity budget and use it to analyze your vendor population.  Ask someone (doesn’t have to be CyberGRX) to tell you how they would go about tiering your vendor ecosystem to create a complete a company-level third-party risk summary.  If their methodology is sound, let ‘em at it (hint: a large percentage should be classified as ‘Do Not Assess’).  Believe me; the juice is worth the squeeze.

To your Vendor Risk Management program, this single project can be the difference between a defensible security program and ‘just guessing’.  This endeavor will bear fruits for a long time to come.  Immediately, however, you will receive the following.

  1. A summary of what your vendor ecosystem looks like, i.e. which industries pose the highest risk and which of your vendors are in the group (Executives and boards love this stuff).
  2. Options for your boss(es) to choose from i.e. based on my allocated budget and my analysis of the vendor inventory, I suggest we take the following approach.
  3. A proposal to said bosses on your phased approach to addressing cyber risk management in the supply chain. You’re not going to be able to assess every vendor, nor should you.  Consider assessing the sharks closest to your boat in year one.  Goals for year two will obviate themselves.
  4. And finally, said boss’ approval and blessing to move out.
  5. Maybe a promotion.

What percentage of your vendor population is high risk? You can’t answer this question unless you know what the population is.  Classifying your vendor population objectively will illuminate your next steps. We at CyberGRX wish you a safe and prosperous 2019.


analytics third-party risk management (TPCRM)