Vendor Risk Management is an interesting space. Everyone does it differently, there is no right or wrong and vendors exist in a wide range of services. When building or operating a Vendor Risk program, it at least means you have identified one thing: using third-party vendors comes with some level of risk to your business. A survey conducted by Gartner found that out of 100 executives surveyed, 84% indicated that a third-party risk “miss” resulted in operations disruptions. Despite this, reliance on third-party vendors remains at a high with the work being shared and collaboration being essential to the business’ success. So how do we properly secure these vendors and ensure that we do not have a business operations impact when the vendor landscape is so vast?
Third-party vendors come in many shapes and sizes. Some are niche and only provide one specific service. They may have a small number of employees and a small facility or be totally remote. Other vendors are quite large and have hundreds to thousands of employees, offer a wide range of services, and work across many industries. No company is alike, and each has its own policies, procedures, and values that make it different.
So where do we start?
Step 1: Identify What Is High Risk
The first step comes with figuring out what is considered high risk to your company. Is it financial assets? Is it content that is being created? Is it blueprints? Every company has risk but what that risk is will vary. Risk is often tied to financial impacts; products that create revenue, ideas that generate buzz, etc. However, they can also often be reputation-focused; Personally Identifiable Information (PII) that could cause a lawsuit, a movie getting leaked and posted online, or private emails getting released. Risk comes in many different forms and levels. But starting by understanding what is considered high risk to your company will help you to continue to step two.
Step 2: Who Handles High-Risk Content?
According to the Deloitte Global third-party risk management survey 2022, 55% of survey respondents indicated they segment their third-parties based on those that present the highest risk to their company. Understanding what type of vendors handle your high-risk content is crucial to any vendor risk program. This is the stage where you evaluate the service offerings of your various vendors in the pool and determine which services may require more attention than others. If you do not know where your highest risk lies, then you do not know where to focus your assessment efforts.
Step 3: Control Mapping
Once you know which types of vendors present the biggest security risks to your company, step three is where the rubber hits the road, control mapping. Control mapping is the concept of mapping your Security Controls to the services a vendor offers to determine what controls affect what type of vendors. For example, you may say photo IDs are required for a company that has 100 employees, but maybe it is not required for a company with only five employees, or you may have a policy that all vendor employees should be under an NDA with their own company and that applies to everyone no matter the service. Maybe you want to be more stringent with a vendor who is providing legal services as opposed to someone providing catering services. Control mapping allows you to customize your assessments for the type of vendors you are working with. It gives the vendor a custom-tailored assessment of their services and gives the assessor guidance on what is in scope and what is not. This allows the focus to be where the risk lies.
Start helps companies tailor these assessments every day. Controls pull into assessment reports automatically and are driven off of a control mapping that companies come up with based on what their needs are. Everyone measures risk differently; it is not a one size fits all. The same applies to your vendors. Every vendor is different both in size and services, yet these services help businesses thrive and be successful. The results of security misses can be detrimental to operations, finances, and especially reputation when things go wrong. But through collaboration and an understanding of your vendor’s company, a secure relationship is always possible. Talk to our team of experts to learn how to help your vendors not only meet but exceed your security controls with a customized assessment through Start.