Developing a Vendor Risk Management Strategy – Info/CyberSecurity Perspective

Written by The GRC Pundit

Published on2017-02-06Updated on2017-02-08DiscussionLeave a Comment on Developing a Vendor Risk Management Strategy – Info/CyberSecurity Perspective

Organizations are porous: the modern organization is not defined by brick and mortar walls but is a complex web of business relationships. These relationships span vendors, suppliers, outsourcers, service providers, contractors, consultants, temporary workers, agents, brokers, dealers, intermediaries. It grows even more complex as there are nested relationships in subcontractors and supply chains. Approximately half of a typical organizations “insiders” are no longer employees but are third party relationships.

The issues organizations face in managing vendor and third party risks are growing. These range from growing challenges in anti-bribery and corruption compliance (e.g., UK Bribery Act, US FCPA, OECD Bribery Convention), human rights and slavery (e.g., US Conflict Minerals, EU Conflict Minerals, UK Modern Slavery Act, California’s Transparency in Supply Chains Act), environmental, health and safety, physical security, business continuity and more.

However, one of the growing challenges organizations face is information/cybersecurity across third party relationships, particularly vendor relationships. A significant number of information/cybersecurity breaches are the result of third party vendor relationships. It is not just IT related vendors that put organizations at risk, but could be a wide range of vendor relationships. The Target breach from a few years back was the result of a heating and air conditioning vendor (HVAC) that was broken into that had a connection to the Target network. With the Internet of Things (IoT) upon us, it has become critical for organizations to address information security in and across their third party relationships.

I am doing a series of educational webinars on this specific topic over the next three weeks. These are as follow:

• How to Develop a Vendor Risk Management Strategy (Part 1 of 3)
  • February 7, 1:00 to 2:00am CST
• How to Define a Process Lifecycle for Vendor Risk Management (Part 2 of 3)
  • February 14, 1:00 to 2:00am CST
• How to Design a Vendor Risk Management Information & Technology Architecture (Part 3 of 3)
  • February 21, 1:00 to 2:00am CST

Here is my specific advice on how to go about purchasing solutions for vendor and third party risk management:

• How to Purchase Third Party Management Solutions

Additionally, here are some of my research papers that I have published on this topic:

• Third Party Management by Design: A Federated Approach to Third Party Management
• Aravo: Enabling 360° Insight & Control of Third Party Relationships