Your Vendors are a Risk, but How Much of a Risk?
Posted by: Gary Brickhouse
Have you ever been to a restaurant and ordered something from the menu, only to be told by the waitress, “I’m sorry but we are out of that item”? Now, stomach rumbling, you have to choose a new item. No matter the outcome of the meal, this experience usually changes our perception of the restaurant we were dining at.
If we were to dig deeper into why our preferred item wasn’t available, we might find that there was a supply chain issue. The restaurant’s vendor that was supposed to provide the beef for your steak didn’t deliver the order on time, or maybe they had a recall on their meat due to contamination. This break in the supply chain was a potential risk that came to fruition. This event has harmed the business and has tarnished the restaurant’s reputation with the customers who tried to order that meal potentially leading to a string of bad Yelp reviews – especially if it were a recurring problem.
This example is a simple one, but you can see when our businesses rely on third parties/vendors to provide our products and services, it comes with associated risks. We need a strategy in place to appropriately identify and assess those risks. If we look at the example with the restaurant above, having information about the vendor, such as their safety standards or recent safety audits, could have enabled us to categorize that vendor as a high risk for business service continuity. Knowing that information would have allowed the business to come up with a contingency plan to mitigate that risk, perhaps by having a secondary meat provider.
Now, a slab of meat and a company’s data don’t hold the same weight when it comes to risk. For instance, following the same restaurant, what if we start talking about their Point of Sale vendor used to process credit card transactions. This vendor likely has access to the register for remote support, typically from a connection outside of the corporate network. Technical issues with the device are a risk certainly, but based on the data involved, it quickly becomes a much more precarious situation. Since the POS device may have payment data, and if the vendor were to be compromised by a bad actor, that data, and potentially your larger corporate network could be at risk. The question for you is “were you aware of the potential risks to the data and potentially your larger network?”
Just knowing who these vendors are, doesn’t mean we fully understand their impact on our business if there is an issue. The problem lies in determining the risk of each vendor in all the muddy in-between areas and establishing a plan to assess those risks for each level in a scalable way.
This plan should include tiering or categorizing your vendors. By tiering your vendors based on their risk and criticality to your organization, you can leverage appropriate risk assessment activities based on the level of inherent risk presented to your company. This allows you to focus your efforts on those higher-risk suppliers that are more in need of your attention, and not waste cycles and budget on non-critical vendors.
Identifying your vendors and putting them into risk categories is only a portion of what should be in your Third-Party Risk Management Program. There is still a need for assessments to define areas of risk and to determine what types of business impacts are associated with those. We have to make sure this risk program is scalable to all of our vendors and not just able to be used for one or two. So, whether starting the process or looking to mature your current one, getting the list of vendors and categorizing them based on their risk and criticality to your business is key to getting started in building out your Third-Party Risk Management Program.
For more information and guidance on vendor risk and help to define a Third-Party Risk Management Program, check out our White Paper: Key Components to Addressing Third-Party Risk.
About GuidePoint Security
GuidePoint Security provides trusted cybersecurity expertise, solutions and services that help organizations make better decisions that minimize risk. By taking a three-tiered, holistic approach for evaluating security posture and ecosystems, GuidePoint enables some of the nation’s top organizations, such as Fortune 500 companies and U.S government agencies, to identify threats, optimize resources and integrate best-fit solutions that mitigate risk.
Contributing Author
Gary Brickhouse, VP, GRC Services & CISO, GuidePoint Security
Gary is responsible for all aspects of GuidePoint’s Governance, Risk, and Compliances services including building and managing the GRC team; offering and collateral development; pre-sales and sales enablement support; practice methodology; and service delivery.
Gary Brickhouse
CISO,
GuidePoint Security
Gary Brickhouse, CISO and VP of GRC Services at GuidePoint Security, began his career in the security industry in 2001. Gary is GuidePoint’s internal CISO and is responsible for all aspects of the company’s information security program, inclusive of building and maintaining our internal security architecture and control practices. Gary also leads the GRC Services consulting practice where he is responsible for the development and delivery of GRC service offerings to support our clients. This unique position allows Gary greater visibility into customer needs from an industry services perspective and also as a practitioner, addressing the same risks for GuidePoint.
Previously, Gary was the Security and Compliance Architect for The Walt Disney Company, working on a large, multi-year business program where he served as the subject matter expert for compliance, data privacy, infrastructure and application security as well as securing emerging technologies like RFID. While at Disney, Gary also served several years as the Compliance Manager responsible for the oversight and execution of the parks and resorts’ compliance programs. Previous to working at Disney, Gary was an Information Security Specialist at Publix Super Markets, one of the nation’s largest retailers.
Gary is a frequent speaker at industry conferences and webinars, covering a wide array of information security topics. He earned a Bachelor of Science degree from Florida Southern College, holds the Certified Information Systems Security Professional (CISSP), and is an ITIL v3 expert.