September 29, 2020

Last Updated on January 4, 2024

These days organizations are more reliant than ever on vendors and other third parties, especially to support remote workers. The results of this tectonic shift in IT infrastructure include a big expansion of most companies’ cyber attack surfaces. More than half of all data breaches now involve a vendor and that percentage is increasing.
Yet SMBs continue to struggle with vendor risk management (VRM) and vendor due diligence.

Why VRM & vendor due diligence a struggle?

Because current approaches make VRM time-consuming, expensive and hard to scale—and, in many cases, current efforts do a poor job of actually managing vendor risk. In particular, current one-size-fits-all questionnaires yield an incomplete and inexact view of risk, while taking forever to fill out and evaluate.
To address this industry-wide problem within our own VRM practice, Pivot Point Security built an expert system that we originally developed to streamline risk assessments in our ISO 27001 engagements. Dubbed ARM (for Accelerated Risk Management… admittedly not the most clever name), it’s been delivering outstanding results for us and our VRM clients.
In a recent episode of The Virtual CISO Podcast, host John Verry, Pivot Point Security’s CISO and Managing Partner, talks with Kevin Hermosura, Pivot Point Security’s VRM practice lead, about how ARM works and what problems it solves for SMBs.

How these Better, Faster and Less Expensive Vendor Reviews Work

What ARM basically does is “right-size” questionnaires for specific vendors depending on key risk factors in how they engage with your company. These include what systems and data a vendor can access, how much data they process, whether they have physical access to facilities, and so on. The vendor that takes care of your potted plants needs to address a different set of risks from your CRM SaaS provider or the MSP that does break/fix maintenance on your PCs.
ARM starts by asking you targeted questions about the vendor relationship. From there it generates a custom questionnaire in user-friendly Excel format for you to share with the vendor.
ARM bases its questions to vendors on the Secure Controls Framework (SCF). ARM also asks vendors to rate their level of maturity regarding the relevant controls.
When you get the questionnaire back, just import it into ARM and it calculates a vendor risk score from the responses. For example, if social engineering of an unwary vendor employee could result in disclosure of your data, a “high” maturity for a security awareness education control would reduce the associated risk more than a “low” or “moderate” maturity.
If ARM calculates the residual risk associated with a vendor exceeds risk tolerance levels, it automatically alerts you to the specific contributory issue(s). Further, ARM provides automated risk treatment recommendations. In the above example, ARM might recommend that you require the vendor to improve security awareness education from its current maturity level of 1 to 2.5 or 3 in order to meet your risk acceptance criteria.

More than ever, SMBs need to be confident that their vendors can securely transmit, store and process their sensitive data. ARM offers a VRM mechanism that is more effective, faster AND less costly than alternatives.

To find out more about this new paradigm shift in vendor risk assessment, click here to hear the complete episode of The Virtual CISO Podcast with Kevin Hermosura.
If you don’t use Apple Podcasts, you’ll find all our episodes here.

SOC 2 vs ISO 27001 (Or Both)

What every Software-as-a-service (SaaS) firm needs to know in order to acquire/maintain independent validation of their security posture.
View our guide today.