Metrics drive the measure of progress and stand as benchmarks during any assessment, audit or review process. They are the life blood of reporting and when it comes to vendor risk management, it is not as straight forward as you might think. Let's take a deeper look into what Guy Dulberger of Ritchie Bros. has to say about the key metrics to track when assessing vendor risk and how a risk-based approach is the new norm for vendor risk management.
"I think an important aspect of what makes a great security report, KPI or metric is understanding your business and where your greatest orgnizational risk lies."
- Guy Dulberger, Information Security Executive
In a recent post on Digital Guardian, Dulberger outlines a series of metrics to track when assessing third party risk. As always, the first step is to create a list of your most critical vendors, usually ones that carry PHI, PII, PCI, etc or have network access. Then from there, create a risk rating system that is clearly communicated to management and understood by the rest of the organization. This is primarily done through a numerical rating system or something similar to low, medium, high rating.
Once the rating system has been finalized, it's time to rate vendors based on seven critical areas:
- Volume of Information
- Type of information
- Size of commitment
- Criticality of the service
- Ease of replacement
- Brand reputation
- Threat intelligence
After rating each vendor on each of these subjects, there should be a quantifiable way of presenting and reporting to management and the rest of the organization.
At ThirdPartyTrust, benchmarking and reporting are at the heart of the platform. Utilizing a customizable, risk-based appraoch is difficult when dealing with hundreds of vendors, but by standardizing critical issues, like network access, information security teams can easily do more assessments while maintaining a standard base.
We've created automated reporting, such as the heat map above, to provide insights to vendor populations. Enterprises can use subjects like "vendor requires PCI compliance" or "vendor has network access" to measure impact (helpful link) and trust (helpful link) of the vendor.