Ven­dor Risk Man­age­ment is now a Must-Have Dis­ci­pline

High­lights of the pre­sen­ta­tion made by Roberta Witty, VP An­a­lyst, Gart­ner at Gart­ner Se­cu­rity & Risk Man­age­ment Sum­mit 2019 at Mum­bai:

Banking Frontiers - - Tech Induction -

Due to the risks as­so­ci­ated with cy­ber­at­tacks, many BFSI or­ga­ni­za­tions are look­ing closely at 3rd par­ties they work with. Their con­cern is how to en­sure that ven­dors are there when they are needed the most. Also, what is miss­ing from ven­dor con­tracts is the re­cov­ery as­pects.

How to as­sess ven­dor’s abil­ity? Many com­pa­nies have cre­ated ques­tion­naires. But of­ten th­ese sur­veys come back in­com­plete. The chal­lenge is how to know that the re­sponses are cor­rect. An­other chal­lenge is how to re­me­di­ate when the ven­dor can­not meet your needs. The con­cern is how busi­ness can con­tinue in the ab­sence of ser­vices of a ven­dor. There needs to be down­time pro­ce­dures and work around pro­ce­dures. How do you know your ven­dor is good even af­ter you sign the con­tract?

A cur­rent best prac­tice is set­ting up a man­age­ment dis­ci­pline around 3 par­ties. The busi­ness has to take the risk and make the de­ci­sion. This is not a de­ci­sion for se­cu­rity or busi­ness con­ti­nu­ity or pro­cure­ment. You can put your ven­dors in tier 1, tier 2, etc. Site vis­its are ex­pen­sive and time con­sum­ing. One way is to use a con­sul­tant, but the ques­tion is how trustable is the con­sul­tant.

Com­pa­nies must move from im­pact and like­li­hood of risk in tra­di­tional si­t­u­a­tion to value and ap­petite in dig­i­tal si­t­u­a­tion. Some­times a tier 2 or tier 3 ven­dor can be a sin­gle point of fail­ure for an en­tire in­dus­try, when that ven­dor is in a dom­i­nant po­si­tion.

Ad­vance warn­ings are im­por­tant as no ven­dor is go­ing to call and say it is go­ing out of busi­ness af­ter 3 months. If a ser­vice is mis­sion crit­i­cal, you must have a back-up ven­dor who can take up quickly.


1. For­mal­ize ven­dor and 3rd party

dis­cov­ery meth­ods

2. Reg­u­larly mon­i­tor ven­dors and 3rd par­ties 3. Men­tor ven­dors and 3rd par­ties info

se­cu­rity ca­pa­bil­i­ties

4. Stream­line and au­to­mate work­flows and


5. Make ven­dor and 3rd party risk a shared


6. Im­prove data col­lec­tion re­li­a­bil­ity

7. Eva l u a t e o u t s o u r c e d o r shared

as­sess­ment mod­els.

Roberta Witty

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.