An Introduction to Vendor Security
Content
It goes by many names
Vendor Security, Third-Party Risk Management, Vendor & Supply Chain Risk. These are some of the names for managing security risk with third-party service providers (SaaS, etc.). Having many names comes with its own hurdles. Vendor Security is frequently mistaken for Supply Chain Security (open source software), yet here we will be focusing on third-party service providers. Now that we know what we are not referring to, why do we need Vendor Security and what does it do?
Why do we need it and what does it do?
Do you trust a stranger with holding your wallet? Probably not. So why should you entrust a random company with something that’s important to your company? You shouldn’t, unless you have enough reason to make sure they’re trustworthy. This is where Vendor Security comes in.
Many companies assume a signed contract can absolve their cyber responsibilities related to sharing data, regulatory requirements, reputation, etc. The truth is, you cannot fully transfer these risks with contractual protections. After all, anyone can sign a contract. Customers, regulators, and investors have developed an expectation that data and services entrusted to third-parties have verified security. This resulted in a few bad experiences: Anthem Blue Cross Blue Shield in 2015, Marriott International in 2018, and SolarWinds in 2020. These experiences are a few of many situations where risk with third-parties was realized and it goes to show that this risk needs to be managed. Vendor Security is here to manage it.
Vendor Security has a lot on its plate. It’s traditionally expected to make sure third-parties are compliant with regulatory requirements, implement contractual security protections, and secure in most regards. Cybersecurity is imperfect to begin with so how can this be done? Vendor Security is about collecting the necessary information to make a risk information decision that’s tailored to reinforcing critical business needs. For example, if you need high availability third-party services or high certainty of regulatory compliance it should be tailored to collecting information specific to those needs. However, many organizations want everything addressed but this is not scalable without hurting business velocity and a number of other areas. So how can you build a program around these challenges?
The Key Elements of Vendor Security
The quick path to setting your Vendor Security goals is to cover all security aspects but this tends to lead to surface level evaluations that results in vendor fatigue. Vendor fatigue is the exhaustion of a vendor during information requests that results in low quality information. Keeping this in mind, the goals and objectives of your Vendor Security program should be thoroughly evaluated, approved by your leadership team, and performed with focused rigor. These goals could include identifying technical security risks, human safety, or ensuring compliance with regulatory requirements.
Your exact objectives may vary depending on your industry, regulatory requirements, and the nature of the third-party-customer relationship but there are some common objectives that customers often seek in a Vendor Security program:
- Visibility: You cannot protect what you do not know what your organization is purchasing. Develop key partnerships and enforce purchasing governance early in the procurement process.
- Confidentiality: Set goals for technical access controls, levels of encryption, and data governance practices to protect against unauthorized access or disclosure.
- Integrity: Set goals for vendors to have processes in place to monitor and identity unauthorized modifications, tampering, or corruption of data and infrastructure.
- Availability: Add measurements to ensure vendor system uptime is monitored, disaster recovery capabilities are tested, and critical infrastructure redundancy is in place.
- Safety: Establish criteria to identify if a system’s function impacts human safety. Examples may include systems that support manufacturing of drugs for human consumption or control the transfer of combustible materials (oil, gas, etc.).
- Compliance: Identify relevant standards, regulations, and industry best practices a service needs to meet a specific industry.
- Risk Management: Establish supply chain accountability. Security identifies risk and should partner with the vendor to advise on remediation or mitigation actions that can be taken. Realized risk until remediation and residual risk must be acknowledged by the purchasing organization prior to purchase or between contract terms. Determine key metrics for ongoing risk management by the Vendor Security function.
- Contractual Protections: Establish parameters with the vendor to promptly detect, respond to, and recover from security breaches or other security-related events that may impact customers.
- Partnership and Communication: Maintain transparency with vendors regarding their security measures, updates on security-related incidents & vulnerabilities, and set goals for ongoing communication requirements to address customer concerns. This is a combination of vendor risk management & vendor relationship management.
Why are Established Vendor Security Criteria Important?
Proper risk classification is essential when third-party vendors have access to sensitive, critical, or regulated data. This defines security standards that vendors must meet to be considered acceptable. This may include factors such as data protection measures, security controls, incident response capabilities, and compliance with relevant regulations.
Operationalizing Vendor Security
How do you scale your program?
Day 1 you’re probably going to be where everyone tends to start, using emails and excel sheets. If you can avoid this step, do it. You do not need a vendor security specific tool to build a program, it is helpful, but process-oriented tools such as Airtable, Smartsheet, etc. are great tools to easily build an automated process that can integrate with other systems. Don’t forget to think about how you’re going to get your requests to review and how you’re going to manage the risk that is identified. These tend to be time consuming if not handled efficiently.
Where do you prioritize your effort?
Define your level of security diligence based on vendors that pose the highest security risks to your organization with a process that quantifies business impact. These could be factors such as access to your network, amount of time your business can operate without this vendor, or regulatory requirements. Using a programmatic approach to determining very sensitivity is key for driving consistency and determining which vendors to review when your vendor portfolio is a daunting size.
What steps do I need to take?
Now that you’ve got a good understanding of Vendor Security and a sense of how operationalization tends to start, check out Purple Raven’s Vendor Security Program Guide below. You’ll find more granular steps to get you started.
Conclusion
Defining vendor security standards helps organizations manage the inherent risks associated with engaging third-party vendors, ensures consistency and compliance, and fosters a culture of security across the vendor ecosystem. It also enables organizations to make informed decisions, establish strong partnerships with security-minded vendors, and protect their own assets, data, and reputation. As you begin your journey into vendor security, take on a manageable workload you can be excellent at and remember that a big brand name does not equal perfect security.
