- Today’s programs are insufficient to manage third-party risks
- The effectiveness of third party governance programs remains low
- Accountability and board level involvement has increased only slightly
- Companies lack complete visibility into third-party relationship
What is at the forefront when it comes to vendor risk?
"The biggest problem with vendor management, is it's a process that has to happen with multiple stakeholders, but many organizations do not have that. Once you have that level of buy-in from the executive board, the other challenge is with vendors -- what is their on-going security posture and what are the tools I can use to gauge a vendor’s on-going and current status of maturity?" Gone are the days of a simple one dimensional attestation; you need to go to the next level of scrutiny by diving deeper."
What is an example of a vendor that poses a threat in your organization that people may not think of?
Dechant offers an example involving an unassuming refridgeration vendor:
“We have $2 million worth of tissue samples stored in our lab fridge -- these are samples from people who have died from cancer. If we saw a risk with refrigeration unit...these are samples we’ll never get again. Do I have the right vendor doing temperature control for that refrigerator?”
What have been your biggest challenges in building a vendor risk management program?
Rasheed also notes that “when you start shining a flashlight in that dark room of your vendor ecosystem, you start seeing more and more methods that they can take hold of to attack your network (not protectively or deliberately) but through their weak controls. Vendors may say 'we have controls in place', but there’s that notion A fool with a tool is still a fool. You can put controls in place, but if you don’t have a 'wrapper' -- an ecosystem of processes and plans and deliverable's that you’re going to execute upon those controls and that you can demonstrate -- what’s the point? Gone are the days of simple one dimensional attestation, we need to go to next level of scrutiny."
Like many other companies, Rasheed adds that when using spreadsheets before, he found he was putting more bodies at the problem. “Instead of having 2-3 people chasing spreadsheets, we lowered our footprint of resources and shifted to a solution that’s more automated; one of the reasons why ThirdPartyTrust was the perfect fit for us.”
What has been the single biggest improvement you've made recently that had a big impact on your vendor risk program?
What are some ways we can start collaborating and doing this more effectively?