Before Target and Home Depot there was the Epsilon breach. Deemed the “Hack of the Century” in 2011, it was a massive breach impacting the world’s largest brands caused by a company that consumers probably never heard of. Epsilon, one of the world’s largest digital marketing firms, handles more than 40 billion emails a year for more than 2,200 companies. When a hacker got into Epsilon’s email server, they made off with names and email addresses. Companies impacted warned their customers to beware of unsolicited email scams, or spear phishing.
How much has changed in the world of Vendor Risk Management since 2011? Unfortunately – not much.
According to a Forrester report, “2016 Tech Budget Benchmarks,” over 40 percent of technology spending today involves a third party relationship. Yet, it seems, most organizations spend a fraction of their time managing vendor risk.
In a Deloitte Compliance Trends Survey, compliance professionals said third-party risk is the greatest threat they face but only 42 percent say they always audit compliance with policies or regulations. That means a majority are “over-exposed” to risk.
It’s not that risk and compliance professionals are intentionally ignoring third party risk. Rather they often feel the task at hand is insurmountable so they do nothing or the bare minimum. What can organizations do to get a better handle on vendor risk?
Rsam counsels customers to start with the basics and iterate from there. Every risk and compliance program follows a maturity curve. Don’t try to leapfrog from the bottom to the top without expecting bumps along the way that may stall your program entirely.
Often we see companies reinventing the wheel when it comes to categorizing and assessing vendors. You aren’t the first company to solve this challenge so leverage solutions that offer out-of-the-box assessment workflow and content, like Shared Assessments, HiTrust, PCI-DSS, NIST and other standards. You can modify and add to it later, but remember the goal isn’t perfection right out of the gate.
Another suggestion is to keep questionnaires as brief and relevant as possible. Many companies make the mistake of asking every vendor the same questions. You spend time collecting data you may not need or can’t make sense of it. Also, your vendor may not be able to tackle the breadth of the assessment so they ignore it.
Instead, focus on collecting meaningful information. For example, send all vendors a simplified classification assessment. This will allow you to take a risk-based approach in determining which vendors need to be further assessed with more comprehensive and topical assessments.
As your program matures, you would want the ability to automatically identify gaps according to survey responses, and provides a workflow for addressing those gaps through risk remediation workflows.
But you don’t need to solve for all of this on Day One. Keep things simple for your vendors and yourself and you will reach success faster.
Establish success criteria throughout the evolution of your program. One Rsam customer maintains a rolling two-year program roadmap that includes tactical aspirations and strategic goals.
Vendor Risk Management is complicated. A steady, measured approach will win the race quicker than an all-out sprint. Once you gain small victories you can mature your program from there.
Learn more about Rsam’s approach to practical vendor risk management here.