Last Updated on September 28, 2020
When it comes to vendor due diligence, I often see organizations make the mistake of overlooking one key aspect.
Most vendor risk management programs and practitioners are always focused on the vendor risks – the risks that the vendor poses to their organization. These folks rarely stop to think about the “total solution risk” which includes taking a self-reflection of their own control environment and the risks they bring to the table.
For example, you could buy the best lock in the world from a top tier vendor for your front door, but if you fail to lock it, the entire solution fails. Many organizations utilize top tier cloud services like Amazon Web Services (AWS) or Microsoft Azure and make the mistake of thinking that they’re safe because they’re using a top tier provider. I can’t count how many times I’ve seen system misconfigurations and a lack of understanding of shared responsibility.
The Federal Financial Institutions Examination Council (FFIEC) recently published guidance on risk management for cloud computing services. Within this guidance, they stressed the importance of reviewing the responsibilities of the cloud provider in addition to the responsibilities of your own organization. You cannot assume that comprehensive and effective security controls are in place just because you are using a top tier vendor. You need to carefully analyze and determine which controls your organization needs to put in place to ensure that the total solution is secure.
Vendor risk management cannot be viewed as only the vendor risks. You need to self-reflect and understand what controls you have in place that work together with the vendor’s controls. To perform true vendor risk management, you need to understand the “total solution risk”.
At Pivot Point Security, we’ve developed our Accelerated Vendor Due Diligence tool to address this shared responsibility issue in a manner which is faster and easier to scale than any solution out there. Contact us today for more information.