Last Updated on April 20, 2021
With the SolarWinds megahack still being unpacked, the issue of third-party risk management (TPRM) is once again in the cybersecurity headlines. Why can’t our industry do a better job addressing the red-alert risks that certain vendors pose?
I think one thing I’ve learned about vendor risk management is there’s not that much of a market for tools for vendor risk management, as much as there is a market for services backing tools for vendor risk management,” Eric points out. “You sell somebody a tool for vendor risk management; it can be very complex. And the first question… I know Prevalent went through this. They spent a lot of money building their systems. And then everybody was like, ‘Okay, that’s great, can you do it?’ ‘But we have this tool and we want to scale.’ ‘Yeah, that’s great. But I don’t want to spend the time learning it. You’re the expert, you do it.’ … And that’s just one example, but certainly a notable one.”
“I think the problem, and we saw this with all of the tools… I’m a certified third-party risk professional,” asserts John. “We’ve got three of them on staff. We’ve got certified third-party risk auditors on staff. So third-party risk management is something that we know an awful lot about. We’re very active in the shared assessment community. The challenge is, a tool is great. But a tool has to be configured per your plan. You need a vendor risk management policy. You need a plan, you need procedures. You need procedures to deal with [what happens] if a vendor fails vendor risk management. What do we do? Do we have an exception policy? Do we have a policy about how long we’ll give them to clean up certain things? So the tool without a policy and plan is nothing. And that’s really why so many of the tools have struggled a bit.”
So many vendors…so little time
“The other problem with third-party risk management, which is dreadful and there’s no easy solution to it, is… We have a client that’s a consulting organization. They’ve got 35,000 vendors. How do you do vendor risk management on 35,000 vendors? And how comprehensive a review do you do?” John probes.
“Risk-weighted!” Eric chimes in.
“But still, people can’t afford to do vendor risk management,” contends John. “So what happens is they take massive risks. I know an organization that is trying to get the cost per vendor review down to the lowest amount possible. A low price to do a vendor risk management review, with fully automated outsourcing to a lower cost area—the Philippines, India, places of that nature. If you can get your cost per review for a medium- or high-risk vendor down to 1,200 bucks, you’re thrilled. And that’s hard to do. If you’re going to do it onshore with good people and do it in a more comprehensive way, it’s not unusual for it to cost $3,000 to $4,000.
Eric replies: “I guess some organizations then aggregate the vendor risk reviews, so that they can just tap into what somebody else did. Of course, that doesn’t really get into specific use cases. What they answer for one doesn’t necessarily apply to you, and that’s really where it’s good to know [the vendor’s] overall posture. But depending on the sensitivity of the data, that’s a check-the-box. And who’s reviewing that? Who’s following up on it? Are they just collecting it and saying, ‘Hey, I have it on my files.’ And what are the risks that you note and I’ll note them, too? Or is there any kind of review? And when I said risk-weighting before, it’s tongue-in-cheek. Because risk-weighting, somebody else has to administer to that. Like how do you risk-rate 35,000 vendors? ‘Oh, okay, thank you. I’ll now spend two years doing that.’”
“Well, if you have 35,000 vendors, you’ve clearly got thousands of permutations of risk there,” notes John. “What data they have access to, what mechanisms they have access to the data through, and what laws and regulations the different types of data are subject to. The quantity of data that they have access to. Think about all the permutations, and now what’ll happen is, how many questionnaires do most organizations have? Three.”
“Logically, vendor risk management is broken,” John summarizes. “I’d love to tell you that I have an answer for it, but I really don’t. I think risk management’s a huge issue for the next 20 years.”
To hear this episode of The Encrypted Economy podcast with special guest John Verry and host Eric Hess in its entirety, click here.