Avoiding the “Twilight Zone” of Vendor Cyber Risk
Submitted for your approval: You’ve been called into an important executive committee meeting.
As the bank’s CIO all you know is that John, who heads Retail, has an important presentation.
Little do you know you’re about to enter another dimension…
Once everyone has joined the call, John immediately presents his latest silver bullet to juice consumer lending and ensure everyone’s annual bonus: The latest, shiniest new digital marketing bauble, dangling the promise of increasing loan production by 150%.
Everyone is enthralled. How soon can it launch?
John’s response? “All we need to do is have IT plug the new widget into our website and link it to our core customer files to allow it to do its thing.”
Without hesitation, the CEO declares, “Let’s do it!”
Pardon the melodramatic analogy I’ve just laid out. But if you’re the CIO, charged with protecting the data assets of your corporation, this meeting might give you the queasy feeling you’ve entered an episode of The Twilight Zone.
The trouble is, you’re right.
When risk is stranger than fiction
While this might seem a fictitious depiction of how strategy and action gain momentum and approval within an organization, I promise you: It’s not farfetched. Anyone who’s had a few years in the corporate world under their belt realizes that desperate times often motivate organizations to embrace desperate measures, without contemplating the dangers. That includes not doing due diligence on vendors, or vetting them for hidden risks.
The problem is, just like on the TV show, this can end up in an unwelcome third-act twist.
Their product might, indeed, deliver as promised. But if it involves your data or user data, what are their safeguards? For instance, if it’s a web application integrated with your site, it may include hidden tags that export data to your vendor’s partners and subcontractors (without your permission). These piggyback tags can cause security issues, violate privacy laws, and degrade a user experience.
How do you temper this go-for-broke enthusiasm, and ensure that an appropriate level of vendor evaluation and scrutiny is employed before an irreversible commitment to their product has been made? A commitment where you’re going to be saddled with the responsibility for deployment success and ongoing operational risk?
Expanded due diligence
The first requirement for any new third-party product or service relationship has to be an examination of the vendor-provided due diligence documentation. This would include financial statements and their insurance certificates, along with any control audits (SOC 1 or SOC 2), business continuity and recovery plans and testing results, and likely information security documentation.
You may want to go the extra step to evaluate the background of the principals behind the offering of the product or service, interview existing clients, and do a search to identify any negative news. In the case of a recent market entrant, while everything that’s available might seem in order – at least, as far as what’s visible – do you really have a full picture? Are you ready to allow access to your most critical asset, your organization’s and your customers’ confidential data? What else should you do?
Multiple stages of vendor cyber risk evaluation
In the case of our own VRM solution, integrated with the renowned Black Kite cybersecurity monitoring platform, an assessment of a vendor’s technical posture is just one of several stages of evaluation. The technical posture can reveal many potential future pitfalls in a pending or existing relationship, such as ineffective updates and protections in the vendor’s processing assets and environment. Or it can spot where compromises already exist.
While the technical posture requires a technical background to evaluate in full, there’s a more “managerially understood” aspect of cybersecurity monitoring. It’s being able to determine vendor compliance with industry-standard requirements and accepted certifications. This is an important secondary capability for you to possess.
For example, the General Data Protection Regulation (GDPR), the European Union law defining the controls EU citizens have over their personal data. It’s been the source of litigation and major fines for violators, so it’s a risk area to be avoided.
Via cybersecurity monitoring using the aforementioned VRM solution, you can receive validation that required GDPR facilities operate within a proposed vendor’s public-facing web presence, giving you confidence about their conforming to GDPR requirements. Suggestions for improvement can be made, and input included in the evaluation.
This same procedure can be applied to other certifications and regulatory mandates, like the CCPA, the Shared Assessment SIF, ISO 27001, NIST and others. They’re just a few of a dozen (and growing) industry-defined standards. In the case of VendorInsight, our resident Vendor Evaluations Information Security Questionnaire is based on NIST standards and certified for vendor certification inputs into Normshield.
Steering clear of the Outer Limits of vendor cyber risk
Sorry, I couldn’t help myself. But rather than lose control, as in the intro to that old show, you can now gain more control over vendor cyber risk. Knowledge (and data), after all, is power, and the right VRM solution gives it to you.
Having insight into a provider’s cybersecurity shortcomings (and corresponding undue risk to your organization) provides exceptional leverage in negotiating a contract, or in calling a vendor on the carpet for corrective actions and financial adjustments. It also allows you to determine the financial exposure the exists, based on the data that’s resident within the relationship. This is extremely powerful insight, obtainable using the FAIR™ Institute Value at Risk (VaR) framework.
In the hypothetical example we started out with, being able to analyze our would-be vendor’s third-party cybersecurity posture may be the absolute best way to ensure that their proposed widget is acceptable. Being able to maintain ongoing monitoring of a third party’s cybersecurity posture and the reciprocal risk to your organization is empowering and essential for your organization. With the right VRM provider and solution on hand, you’ll avoid unwanted drama. Especially of the Rod Serling kind.