Today, it’s not uncommon for organizations to look to third-party vendors to provide services and resources to meet their business needs. After all we’ve all been contracting out services and supplies for most of our careers. But in today’s ever connected world the risks of security breaches from or to third party vendors has grown exponentially.
With the complexity of today’s globally functioning supply chains, identifying and avoiding cyber-related third-party vendor risks is becoming more and more of a challenge. Bad actors are now using any means necessary to breach systems and gain access to intellectual property, sensitive information and PII just for starters. Once the bad actors have found a way into the third party they can leverage the vendors access as a way into your environment and ultimately your crown jewels.
Managing vendor risk starts at the top. Executive leaders must embrace and support the VRM solution in order for it to become part of the organizations culture. As we all know, vendor risk management cybersecurity assessments can be a slow process. Yet, when a company builds a robust risk management program, the process of evaluating the vendor can be less time consuming. That said, for risk and reward balance to be embraced, leadership must advocate the reduction of risk over immediate short-term results. The lynchpin to a successful program is for leadership to first understand the risks and determine the risk appetite of the organization.
All vendors do not present the same level of risk. That risk level can often be determined but the types of data they have access to and the access they have to your organization’s network. We’ve seen companies classify risk based on the size of the organization of their financial stability. While these are factors that weigh into the risk matrix, they’re not the key factors to be considered in assessing how much risk a vendor poses to your organization. We’ve also seen companies bypass risk assessments for smaller vendors simply due to size or the vendors resources believing they present little risk to the organization. They could not have been more wrong. SMDs often present greater risks due to their lack of resources or in their rush to get to market they’ve overlooked some of the basic security tenants that are the foundation of a good security posture.
In order to address cyber related supply chain risks, organizations must have strategies in place to actively and preemptively address cybersecurity in and along the entire value chain.
TBG Security works with our customers to build a risk-based, third-party risk management program that includes a standardized, repeatable process designed to draw out meaningful insights into a vendors security posture.
Contact UsTBG Security has partnered with three of the industry leading vendors to create a TPRM/VRM service to address both the regulatory requirements and best industry practices in this space. TBG security’s VRM service provides everything your organization needs to build, implement and execute a robust comprehensive program to effectively manage the risks posed by the use of third-party vendors.
The three complementary components of our service solution are provided by Whistic, RiskRecon and Osano.
Whistic is on Gartner’s 2020 Magic Quadrant as a leading provider of IT Vendor Risk Management tools. Whistic makes it easy for buyers to assess their vendors and for vendors to proactively share their security posture directly from Salesforce, including security assessments, documentation, audits, and certifications to build trust early in the sales process.
By leveraging RiskRecon, our solution makes it easy to gain deep, risk contextualized insight into the cybersecurity risk performance of all of your third parties. RiskRecon gives you visibility into a deep risk assessment spanning 11 security domains and 41 security criteria – software patching, network filtering, ip reputation, web encryption, application security, and more. All fully risk contextualized and tuned to match your risk appetite.
While assessing and monitoring your vendors security posture is critical to managing risks in your supply chain, how your vendors handle privacy requirements has become paramount in meeting the ever changing privacy regulatory landscape. California Privacy Protection Act (CCPA), California Privacy Rights Act (CPRA), General Data Protection Regulation (GDPR), Canada’s Consumer Privacy Protection Act (CPPA) all have third party vendor requirements dealing with how your vendors and/or third parties handle protected information. That’s why we’ve partnered with Osano to round out our offering to assess vendors privacy & consent posture. Osano calculates the scores for each vendor based on 163 items assessing cookie policy, enforcement, GDPR/CCPA statements of accessibility, choice, enforcement and numerous others providing you with a real-time assessment of the third party’s privacy posture.
