Vendor Due Diligence

Great Vendor Tools Does Not = Security

Reading Time: 2 minutes

Last Updated on September 28, 2020

 
cloud vendors
When it comes to vendor due diligence, I often see organizations make the mistake of overlooking one key aspect.

Most vendor risk management programs and practitioners are always focused on the vendor risks – the risks that the vendor poses to their organization. These folks rarely stop to think about the “total solution risk” which includes taking a self-reflection of their own control environment and the risks they bring to the table.


For example, you could buy the best lock in the world from a top tier vendor for your front door, but if you fail to lock it, the entire solution fails. Many organizations utilize top tier cloud services like Amazon Web Services (AWS) or Microsoft Azure and make the mistake of thinking that they’re safe because they’re using a top tier provider. I can’t count how many times I’ve seen system misconfigurations and a lack of understanding of shared responsibility.
 
vendor risk shared responsibility
The Federal Financial Institutions Examination Council (FFIEC) recently published guidance on risk management for cloud computing services. Within this guidance, they stressed the importance of reviewing the responsibilities of the cloud provider in addition to the responsibilities of your own organization. You cannot assume that comprehensive and effective security controls are in place just because you are using a top tier vendor. You need to carefully analyze and determine which controls your organization needs to put in place to ensure that the total solution is secure.
Vendor risk management cannot be viewed as only the vendor risks. You need to self-reflect and understand what controls you have in place that work together with the vendor’s controls. To perform true vendor risk management, you need to understand the “total solution risk”.
At Pivot Point Security, we’ve developed our Accelerated Vendor Due Diligence tool to address this shared responsibility issue in a manner which is faster and easier to scale than any solution out there. Contact us today for more information.

TPRM for SMBs guideThrough our 17 years of experience, we've collected these 5 fast-track best practices for implementing a vendor risk management program as a small- to medium-size busiess (SMB).

Download our free TPRM PDF guide now!

Back to list

Related Posts

One thought on “Great Vendor Tools Does Not = Security

Leave a Reply

Your email address will not be published. Required fields are marked *