top of page

Vendor Risk Management: Is it a CYA activity? It shouldn't be.

Aug 13

3 min read

0

2

0



We've all heard about third parties and how they have been the root of some data breaches in recent times. We've seen plenty of industries adopt processes that better vet through third parties in an effort to identify the risk they may bring in and find ways to proactively address them.


When you consider just how many third parties one single company can have, you can respect how much work is required to assess and continually review vendors. In many cases, companies have adopted vendor programs simply to check off an audit requirement. Unfortunately for those companies that are on the checklist route, the message this sends to the rest of the organization is that this is just another cost center. That's not how it should be.


As mentioned, in the past decade, data breaches we've seen occur were not always due to inadequate security controls on behalf of the vendor themselves but rather a third party they were using. A rather well-known breach and my personal favorite was the Target breach. A third-party contractor hired by Target was on site to repair an HVAC. Unbeknownst to the contractor, his work computer had been compromised due to inadequate malware software.


Upon performing work on Target's system, the malware quickly spread from the contractor's computer to Target's POS system. The lack of contractor vetting, amongst other things, ultimately led to the exposure of 40 million debit and credit cards. Between investigations and settlements, Target is said to have likely spent over $200 million.


Want to know what could have lowered the odds of such a breach? Vendor risk management.


Companies have a hard time often justifying the time and resources it takes to run a decent program. Ultimately, it is hard to show the return on investment here. Even the best metrics from a vendor program will often be limited to showing the risk universe via a heat map or a review of how many new vendors were brought in or offboarded. We often hear about vendor team employees becoming discouraged when the business bashes them with frustrating comments ranging from "you're holding up my contract" to "I don't even know why you need to ask about this?"


Unfortunately, such culture and comments eventually lead to the idea suggesting the vendor process is just there as a checkbox item. Yes, it would appear as such on the front end. It only becomes something else when a vendor team manages to show they avoided a breach in some fashion. In the case a vendor that was onboarded has a breach, the vendor risk employee is doomed to criticism of "not doing enough" to have assessed the vendor...they just can't win, huh?


My thoughts - No one knows what it's like to walk in someone's shoes, right? Companies that can't accept the value of a compliance member that proactively reviews vendor risk will lose. Such companies will have a difficult time retaining talent, since that talent will be faced with the challenge of having to convince others in the organization that vendor management is a necessary process.


Is your company looking to kick off a vendor risk program. Easy Audit consulting specializes in vendor risk management. We can establish a program that works for your business and provide ongoing support to your program. Reach out to us today to discuss a program that works for you!


Christine

www.easyauditconsulting.com

Aug 13

3 min read

0

2

0

Comments

Share Your ThoughtsBe the first to write a comment.
bottom of page