3 Ways To Address Cybersecurity In Vendor Risk Management
When talking about company-wide Cybersecurity programs we could probably go down a hundred different paths addressing the various impacts these policies have on your organization, 3rd party vendors, and clients. Instead let's take that big picture approach...Cybersecurity...and drill down on a key component: Vendor Risk Management.
Today we're covering why you should be concerned about your cybersecurity strategy -- even if you haven't had a breach yet, as well as 3 practical ways to address vendor risk management within that policy.
Get more expert vendor management tips in our easy eBook Vendor Risk: Find It Before It Finds You.
Should You Be Worried About Cybersecurity?
Most of what you read in the headlines regarding cybersecurity in 2017 probably had to do with the mega-breaches and resulting fallout (see: Equifax, Uber, Yahoo). The Equifax breach stole most of the headlines due to the scale and severity level of the data exposed. If you are reading this you might have not have to deal with the scope and risk exposure many of those giant corporations face, but that doesn't mean it's any less important or applicable to your own firm, department or practice area.As more businesses turn to 3rd party vendors, cloud-technology in particular, to help scale and operate their businesses it's more important to identify potential security risks and mitigate those gaps with policies, programs and committees dedicated to these efforts. In a recent Wall Street Journal article discussing top CEO concerns they cited a recent survey by XpertHR, an online provider of compliance guidance saying:
"64% of 1,031 HR professionals believe data security and threat of cyberbreach will become a very challenging or extremely challenging issue in 2018."
Simply put, even if you haven't had an issue yet, that doesn't mean you're safe from cyber risks.
Corporate Strategy & Response to Cybersecurity Risks
In a related WSJ article they reported that more corporate boards are seeking greater insight into cybersecurity risks, especially after the Equifax breach was disclosed in 2017.
Betsy Atkins, a lead independent board director at HD Supply Holdings said, "The company had no formal procedure for dealing with certain cybersecurity threats...Equifax triggered a review of the thoroughness of our oversight and compliance and of our gaps, and we acted." While reactive cybersecurity strategies are not the most advisable course of action it nonetheless forced many corporate boards to review and take action, which is the goal. Atkins also shared, "HD Supply's board and management devised a response plan, including creation of a bitcoin account from which to pay ransomware attacks."
The article also points to other boards who are taking a similar course of action, the boards at Volvo Car AB and Schnieder Electric are considering reallocating cybersecurity oversight duties among board committees this year.
Ms. Atkins said she plans to push her boards to request two comprehensive cybersecurity reviews per year instead of one.
In the same article, Mark Morrision (CISO of Options Clearing Corp.) said his board wanted to know whether they were vulnerable to a similar attack, adding that he also provided a more detailed analysis in October at OCC's quarterly board meeting.
The best thing we can do is be proactive, not reactive. We need to do our homework, consult experts if needed, and implement effective security precautions.
Still Room for Improvement
While the above examples are a great starting point for improved cybersecurity, experts still warn we are far from being fully prepared should a crisis arise. David DeWalt former CEO of cybersecurity firm FireEye Inc. said, "Boards need to be better prepared with proper talent, proper technology and proper processes." Mr. DeWalt also adds, "Most boards fail on most or all of these components."
If you are an IT Security, Vendor Risk Management or Compliance Director you might be asking yourself what practical steps can you take to ensure your firm takes the appropriate proactive steps to shore-up your current policies or create new ones altogether. Here are some practical approaches to these critical processes:
3 Practical Ways to Address Vendor Risk Management
- Ensure your company has a documented process and adhere to it. Especially when gathering and assessing 3rd party vendor security responses. Focus specifically on technology vendors that you rely on for critical business operations and that have access to valuable company and client data if applicable.
Enhance vendor selection and vendor management data gathering methods by upgrading from Excel and into state-of-the-art technology platforms that can track hundreds of vendors and changing policies in real-time. Why? Because there are several problems and risks associated with using Microsoft Excel and other legacy databases to manage these processes.
- Establish open and frequent lines of communication between IT Security, Vendor Management and Corporate Boards. Strive for bi-annual comprehensive vendor management and security review meetings. Give ample time to board agenda items to cover those issues and bring in your CISO or CIO to present findings in those meetings.
Want more vendor risk management tips?