You’ve heard that vendor dependencies are ripe for malicious abuse and you have read the stories where vendors were used to exploit and infiltrate their customers. Now, you’ve been put in charge of ensuring your vendors, third parties, contractors, and supply chains are at least as secure as you are: Welcome to Vendor Risk Management (VRM)!
Where Do You Start and What Do You Do?
First, recognize that VRM is all about reducing overall risk to your organization, and in particular, cybersecurity risks since much of how we interface with vendors is via digital interactions. Second, recognize that it’s going to take a system to do it. VRM isn’t a process that scales well using paper and verbal interviews.
Here are the other steps and phases along the way:
Get Executive Management Support
Make sure you have executive management sponsorship. VRM programs will take time, people, and money. You likely have executive support if you are already exploring how to do a VRM program; but if not, it is essential that senior management is on board supporting the program and for the expenses involved. A VRM system can easily lead to a situation where someone’s existing or newly selected favorite vendor is being denied access to interoperate with your systems or data. Denials to move forward can strain relationships and bring emotions into the mix. You need solid management support so that if, or when, the tough decisions need to be made, everyone understands the reason for the VRM program in the first place. You want everyone on your team pulling in the same direction—pulling for the vendor to remediate their critical issue instead of blaming you for interrupting an existing or new process. Everyone always claims they are onboard until someone can’t get what they want to meet their own project deadlines. You will need the backing of senior leadership to assist in these instances. Don’t do it alone.
Define the Program Scope
You need to define the scope of the VRM program. Will all vendors (and contractors and third parties), regardless of size, be required to participate? Are there any minimum entry-level items that force a vendor to be involved with your program such as revenue/expense thresholds, the involvement of confidential data, etc. Are there industry requirements (e.g., NIST, ISO 27001, HIPAA, PCI-DSS, SOX, NERC, etc.) involved? Can the company do business with vendors and other third parties that haven’t undergone the VRM process?