Vendor Risk Management is now a Must-Have Discipline
Highlights of the presentation made by Roberta Witty, VP Analyst, Gartner at Gartner Security & Risk Management Summit 2019 at Mumbai:
Due to the risks associated with cyberattacks, many BFSI organizations are looking closely at 3rd parties they work with. Their concern is how to ensure that vendors are there when they are needed the most. Also, what is missing from vendor contracts is the recovery aspects.
How to assess vendor’s ability? Many companies have created questionnaires. But often these surveys come back incomplete. The challenge is how to know that the responses are correct. Another challenge is how to remediate when the vendor cannot meet your needs. The concern is how business can continue in the absence of services of a vendor. There needs to be downtime procedures and work around procedures. How do you know your vendor is good even after you sign the contract?
A current best practice is setting up a management discipline around 3 parties. The business has to take the risk and make the decision. This is not a decision for security or business continuity or procurement. You can put your vendors in tier 1, tier 2, etc. Site visits are expensive and time consuming. One way is to use a consultant, but the question is how trustable is the consultant.
Companies must move from impact and likelihood of risk in traditional situation to value and appetite in digital situation. Sometimes a tier 2 or tier 3 vendor can be a single point of failure for an entire industry, when that vendor is in a dominant position.
Advance warnings are important as no vendor is going to call and say it is going out of business after 3 months. If a service is mission critical, you must have a back-up vendor who can take up quickly.
RECOMMENDATIONS:
1. Formalize vendor and 3rd party
discovery methods
2. Regularly monitor vendors and 3rd parties 3. Mentor vendors and 3rd parties info
security capabilities
4. Streamline and automate workflows and
processes
5. Make vendor and 3rd party risk a shared
responsibility
6. Improve data collection reliability
7. Eva l u a t e o u t s o u r c e d o r shared
assessment models.