Category Archives: Vendor Risk Management

How to align the vendors objective and internal risk profile

One of the key issues in correctly assessing and managing vendor risk is the ability to analyze the potential risk exposure of the vendor and execute the risk evaluation process accordingly.

The process should include:

    • Understanding the business process
    • Mapping potential data or processes at risk 
    • Analyzing business or operational impact upon vendor breach
    • Aligning audited controls and categories

For example:
Vendor A is a small software development company, providing us services in 2 separate deals:

Deal 1:

Business owner: IT

The deal:

The vendor is providing outsourced code development services and processes employee data in an AWS environment in which  a breach might cause major business disruptions and should be addressed in terms of security evaluation with the following, beyond traditional security audit:

    • Assessment: Software provider – sensitive.
    • IP exposure analysis: data encryption, employee privileges management,  separation of environments, etc.
    • Privacy related exposures: Private data handling, policies, and procedures, privacy compliance opinion, etc.
    • Cloud security measures required: cloud security posture management, relevant certificates, etc.
    • Timing and severity: the vendor might be assessed annually with a set of findings thresholds that will require high standards of security.

Deal 2: 

Business owner: R&D

The deal:

Technical on site consulting regarding architecture of a planned website renewal of the company, Where no data is being stored by the vendor.

In this case, the assessment term might be minimal and include the following:

    • Assessment: consulting
    • IP exposure analysis: NDA execution, email security.
    • Timing and severity: the vendor might be assessed once and with a set of findings thresholds that will require low standards of security.

Being able to orchestrate and automate the risk assessment requirements and analysis will enable a better understanding of the real exposure, an increase in vendor engagement and commitment and a dramatic reduction of security handling costs and risk evaluation accuracy.


Maintain holistic internal risk management

In order to streamline the ability to perform better security analysis and execute at scale, the following process elements should be addressed with your own organizational terminology.

    1. Vendor/Deal risk exposure mapping as indicated by business owners:
      • Mapping of deal elements
      • Mapping of business impact
      • Mapping of potential assets exposed
    2. Security & privacy requirements:

      • Transformation of the initial vendor/deal mapping into an actionable assessment framework.
      • Determination of benchmark and standards.
      • Determination of repetitiveness.
      • Determination of a minimal risk threshold for assessment execution.


Findings internal risk module

Findings enables you to streamline all internal risk elements into one process and customize your own business logic, policy and terminology as part of it.

The main capabilities provided as part of your account:

1. Business owner page

A customizable wizard enabling the following branded capabilities:

    • Publication of your policy to your business owners across the enterprise
    • New/existing Vendor requests
    • A customizable vendor risk classification questionnaire 
    • An automated calculation of vendor internal risk score
    • Automated triggering of security categories and controls for the assessment
    • An automated pending vendor for security team

2. Vendor management

A comprehensive vendor management page for the security team, including:

    • The ability to open, edit vendor details, send assessments and define vendor assessment policies
    • Review and approval of business owner page results and the system assessment recommendations
    • Self definition of vendor internal risk classification by a member of the security team
    • Maintaining multiple business owner security page results for a single vendor
    • Launching assessments in alignment with the business owner page results

IMPORTANT: The ability to maintain said multiple risk profiles allows the enterprise to assess and certify the vendor for multiple deals and reuse already finalized past assessments to match with new business owner requests.

How to:

Option 1: Your vendor management module :  Vendor tab >> manage vendors >> select vendor >> Edit

Option 2: directly from the notification received from you BO page initiation

3. Notifications

Findings’ powerful notification engine enables the business owner to be notified on the various stages and processes following his/her request. The notifications, as always, are self customizable to your needs.

The standard notifications that the business owner will receive (is CCed to)  include:

    • The assessment sent to the vendor
    • Notification and escalations of delays
    • Vendor assessment finalization 
    • Security review completion

How to:

The notification editor can be found at Profile >> Manage organization >> Notifications

The combination of all  Findings internal risk elements will provide you with a streamlined process, better business risk alignment, better security efficiency and service level to your internal stakeholders.

Give it a try or book a free demo session with our experts.

Your business continuity and the Coronavirus crisis

man inspection his supply chain BCP

Your supply chain is your weak spot during the Coronavirus crisis – how to prepare yourself

Different scenarios and how to protect yourself using a free tool we created for the community

 As the concern regarding the global outbreak of coronavirus (Covid-19) increases rapidly, companies are facing the need to quickly adjust their processes to various situations which can affect their business continuity.

The global nature, spread and infection pace of the coronavirus and their implications indicate that no company should rest assured assuming it could go by unscathed and every CISO, CIO and CEO should prepare and evaluate a business continuity plan (BCP) immediately.

Living in an interconnected world makes every business vulnerable to 3rd party business continuity risks that can disrupt its processes’ continuity, data and reputation.

One of the main issues to address is the company’s supply chain and other 3rd party readiness measures. Maintaining supply chain BCP in this challenging time is crucial to the ability to ensure minimization of potential impacts.

In the case of Coronavirus, the disruption is mainly created as a result of availability issues rising from the many employees that will be forced to work from home or be hospitalized.

From the supply chain perspective, the main risk scenarios are:

  1. The need for many employees to immediately shift to remote work.
  2. Staff availability issues resulting from employees being hospitalized in cases of illness and being unavailable for long periods of time.
  3. Lack of preparedness of vendors to enable remote and secured operation.
  4. Low compatibility of vendor’s infrastructure (endpoint, connectivity, etc.) with the proper requirements to maintain operation.
  5. Information security issues due to major and uncontrolled changes in the infrastructure serving the business.

Therefore, we decided to provide everyone with a FREE tool that will help you assess and manage your supply chain coronavirus readiness and resiliency.

You can subscribe for your free account here and immediately launch a vendor assessment process.

Your account is now equipped with a ‘Coronavirus resilience assessment’ type. By selecting it under either the ‘add new vendor’ or ‘manage assessment’ tab – your vendors will be able to quickly provide you with an overview of your supply chain weak spots.

The tool will also provide you with automated findings, recommendations and time stamps that will help you manage vendor gaps effectively.

Want to perform a self readiness assessment? No problem – just choose the ‘Coronavirus resilience assessment’ at the ‘manage assessments’ and choose ‘ self assessment’ 

If you already have your Findings account – contact our customer success team to activate the tool.

Just click on the link or the button below and start your on-boarding. 

Stay healthy! 

GE Discloses Data Breach

GE data breach in supply chain

Tech Giant GE Discloses Data Breach After Service Provider Hack

The recent data breach of a GE supply chain service provider resulted in the theft of PII for many of the company’s employees. 

GE currently has customers in more than 180 countries and in employment of 280,000 employees according to the company’s 2018 annual report.

“The breach occurred at Canon Business Process Services (Canon), a GE service provider, where an email account of a single employee was breached, resulting in an unauthorized party gaining access to an email account that contained documents of certain GE employees, former employees, and beneficiaries entitled to benefits that were maintained on Canon’s systems”.

Also, GE stated that the sensitive personal information exposed during the incident was uploaded by or for current and former GE employees, as well as “beneficiaries entitled to benefits in connection with Canon’s workflow routing service.”

GE reported the incident to the Office of the California Attorney General and have notified the affected individuals according to data breach laws and the CCPA.

They said that GE’s IT systems were not affected by the Canon security breach and that it’s taking all the necessary measures to prevent a similar incident from happening in the future.

Supply chain cybersecurity risk 

This attack highlights the issues of Supply Chain and Third-Party Provider attacks

As companies seek to reduce costs and improve operational margins, they rely on suppliers of business services or providers of products to take advantage of the lower costs these partners incur to specialization and economies of scale.

These strategies are sound business practices in the growing trend toward collaborative eco-systems. In fact, it’s impossible for an organization the size of GE to operate without an efficient global supply chain spanning across tens of thousands of subcontractors and vendors.  

The cybersecurity risks, companies face are the lack of control they have when it comes to protecting the data which they now share or have hosted by these suppliers – due to it not always being protected with the same level of security that the company itself, as a data owner, may impose on its own resources. 

The inability to determine the financial impact of these types of breach attacks makes it very hard for cost-conscious outsource/third-party services or goods suppliers to assess the right sizing of risk and breach mitigation measures.

The attackers that are leveraging these third-party or supply chain attacks are often identified as Political Cyber Warriors, Financial Hackers, Disgruntled Employees, and Industrial Espionage Agents. 

These actors have already done the math in terms of assessing the value of such purloined information in terms of financial value, and have sufficient resources behind them to invest in the attack methods that will enable these penetrations and exfiltration – and make a positive return on investment. 

As the number of attacks and the size/prestige of victims of these breaches increases, companies must be much more diligent in coping with these risks.

What can you do?

When selecting third-party service providers or supplier partnerships, companies must perform reasonable due diligence to assure themselves and their stakeholders that the selection process does not just focus on cost. 

The first step is for companies to assess the financial impact such a breach will have on their business in terms of reputation and survivability. 

This can be accomplished by firstly quantifying the risk in monetary terms – A Cyber Risk Quantification exercise can put a financial impact number to each type of asset’s compromise. 

Companies should perform this themselves or with the assistance of independent professionals.  This should not be done by the out-source provider.

Secondly, each potential provider should demonstrate that they are adequate to data security and relevant privacy measures by performing a defensive maturity assessment – ensuring that all security measures are in place, current and fully configured. 

There are several industry-specific standards such as ISO, NIST, and others that can provide standard yet independent expertise to conduct the assessments. 

These assessments should be performed as necessary-  Prospective clients/organizations should ask for and receive these security assessments during their selection or on-boarding process as well as on a periodic basis according to the risk exposure of the vendor.

Obviously, such operation of performing manual assessments on such a large scale isn’t practical, meaning an automated solution must be implemented to facilitate this process.


Cyber mitigation has become a fact of life and therefore, companies must make sure that they deal with it effectively.  Out-sourcing services or products for resale in an eco-system can be extremely beneficial and enables organizations to move investment off-balance sheet and gain the benefits of markets in sourcing such services, yet they must act aggressively to ensure that their partners are delivering on protecting the company from risks.

A 3rd party assessment cannot and will not prevent a cyber incident, but will help organizations create a robust supply chain and to respond quickly and decidedly when an attack occurs –  just like GE did.

What do you need to know about – CCPA?

California has always been known as a progressive state for
protecting consumer rights and individual privacy.  While this has been a benefit for its
residents it has also opened an opportunity for litigators to challenge
companies for not complying to these oversight regulations.   Given the scale of fines companies can face
(as severe as GDPR), companies will have to ramp up to
comply and protect themselves.  This
latest set of privacy compliance regulations is extensive, and the penalties
can accumulate over time with accumulated incidents.

Direct Impact to Companies      

In scope of the CCPA, guidelines apply to all of California’s
residents’ personal data that is collected; consumer data by January 2020 as
well as employee and B2B data by January 2021. 
Residents will have the right to access all data collected over a 12
month period, differentiated as sold or transferred.  They will have the right to opt out of
companies with programs in which personal data is being sold to third
parties.  And perhaps the most stringent
of those – is the right to have their personal data wiped in some cases.  Companies and supply chains will be greatly impacted
by these changes. They must quickly implement a way to comply  with the costs of accommodating these
directives – and in a rather challenging timeframe.  Companies will have to closely examine their
defensive perimeters and leverage their existing features to avoid additional
costs and penalties.

Supply Chain and Third Party/ Vendor Management Systems

Businesses have evolved into complex ecosystems of
interdependent relationships for leveraging efficiency and maximizing
opportunities.  Manufacturers, Retailers,
Service providers et al are mounting networks that make them nimbler and more
responsive to their markets.  Along with
these benefits come some challenges and risks – continuity of supply, sharing
information and sustaining global presence. In the Cyber world we don’t have to
go very far to see how these inter-dependencies can cause major threats and
losses.  In the US, Target stores had
thousands of consumer financial records compromised, impacting the business and
the reputation of the company – when one of its suppliers was lax in protecting
consumer data.

That event was a seed that initiated the category of Supply
Chain Management Softwares, Third Party risk management programs and Vendor
Management Systems addressing cybersecurity concerns.  Implementation of these systems have ensured
that companies can now monitor and protect the information, supply and
financial relationships that members of an ecosystem can rely on to maintain
cyber and financially secured relationships for servicing customers.  Leveraging these systems are a smart and
required way to comply with CCPA. 

CCPA is only the beginning

Until this point in time, The US was legging behind the EU
in terms of privacy regulations. CCPA is on par with the EU globally enforced
GDPR, and some speculate that other states will follow California’s footsteps
and adopt similar, if not more stringent legislations. We’ve seen a similar
trend in regard to the breach notification laws, that now exist in
all 50 states, D.C. and Puerto Rico.

This means that businesses that are exempt from complying
with the CCPA (because of their location’s jurisdiction or target audience’s
residency) should examine and consider adopting it, because in all likelihood,
it will impact them very soon.

The FINDINGS solution for CCPA

Findings is a scalable AI powered VRM platform that
streamlines security compliance across sectors, jurisdictions and regulatory
frameworks for Eco-Systems.  Findings
enables companies to showcase their security and assess vendors.  This platform is ideal for monitoring,
structuring and controlling the supply chain relationships.  Most organizations have or are already
evaluating these systems, considering 
they are a necessity in the suite of defensive controls needed in
today’s business climate.  The wise
strategy for complying with CCPA is to leverage the TPRM/Vendor Management
system rather than making new investments in defensive/compliance
capabilities:  Managing security, risks
and complying with regulation. 

VRM and Regulations

VRM is becoming a more widespread nowadays, and more and more organizations realize the importance of conducting proper vendor verification process to reduce cyber risk. This awareness is a result of high-profile incidents (such as Target and Lockheed Martin) but also of intimate knowledge of the risk. At a recent survey, two-thirds of respondents reported that their organizations had experienced a software supply chain attack, and 90 percent of those confirmed that they had incurred financial loss as a result.  

But awareness and first-hand experience are not the only drivers towards greater adaption of VRM. Regulation is another driver that influences organizations and forces them to add VRM to their security agenda.  The following regulations/ standards

  1. GPDR

The European Union’s (EU’s) General Data Protection Regulation (GDPR) has been introduced in May 2018 and includes a new set of requirements for third party data processors, as laid out in Articles 28, 32 and 33.

The novelty of GDPR in this respect is that it is extends the reasonability over personal data also to third parties (sub-processors) who process the information.

Article 28 ,” requires contractual protections with data processors and their sub-processors, adequate data protection, and production of evidence of compliance with the GDPR; Article 32, “Security of processing,” requires data processors and their sub-processors (3rd parties) to implement comprehensive information security controls to protect EU personal data;

Article 33 (“Notification of a personal data”) requires data processors (and their respectable 3rd parties) to report compromises of EU personal data to their clients without undue delay; and

Article 36, “Prior consultation,” requires data processors to provide data protection impact assessments (DPIAs) to their clients in certain high-risk situations. 

All the above requirements present a new set of processes, procedures and skills to be implemented as part of one company’s compliance process.

While GPDR isn’t relevant to every country and company, it is the first of many such regulations that tackle the issue of 3rd liability and risk.   

  • NYC DFS (23 NYCRR 500)

The New York Department of Financial Services Cybersecurity Regulation (23 NYCRR 500) is a new set of regulations from the NY Department of Financial Services (NYDFS) that places cybersecurity requirements on all covered financial institutions.

The NYS DFS regulation defines a 3rd party as:” Third Party Service Provider(s) means a Person that (i) is not an Affiliate of the Covered Entity, (ii) provides services to the Covered Entity, and (iii) maintains, processes or otherwise is permitted access to Nonpublic Information through its provision of services to the Covered Entity”. It requires the regulated entities (which include State-chartered banks, Licensed lenders, Private bankers, Foreign banks licensed to operate in New York, Mortgage companies, Insurance companies and Service providers) to have a dedicated Third Party Service Provider Security Policy, that includes “written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers”. It requires that, prior to egaging 3rd parties, companies should perform a comprehensive due diligence processes in order to evaluate the adequacy of cybersecurity practices of Third Party Service Providers; and conduct periodic assessment of such Third Party Service Providers based on the risk they present and the continued adequacy of their cybersecurity practices. In addition, companies must designate a senior member as responsible for direction and oversight of the Third Party Service Provider.  

  • CCPA- The California Consumer Privacy Act (CCPA),

The CCPA covers California state resident data and will come into effect in January 2020.

In similar fashion to GDPR and NYC DFS it extends the responsibility over private data to third parties collecting and handling it. For instance, section 1798.115(d) of the CCPA limits third parties’ ability to resell personal information they obtain from your business.

Also, as other data protection and privacy regulations dictate – there is a continuous requirement to map where the data is processes, assess and evaluate the potential exposure risk and manage it continuously.

  • DOD Cybersecurity Maturity Model (CMMC)

The US Department of Defense is working on a new mandatory cybersecurity certification program that would demand that contractors demonstrate their cybersecurity readiness in order to allow them to participate in DOD bids.

The new CMMC certification creates a five-level system. Vendors are assessed on 18 separate “domains,” or elements of cyber security such as incident response plans and risk management policies. Although it seemed at first to have a rather limited reach (impacting only the defense industry), it might be relevant to the entire DoD supply chain of about 300,000 contractors, and as such to have  a far-reaching impact on many vendors, from electronics maker to steel plate manufacturers.


The regulations and standards covered in this post are by no means the only ones that companies should adhere to. Multiple laws and agencies such as The Federal Deposit Insurance Corporation (FDIC) the Office of the Comptroller of the Currency (OCC), the Health Insurance Portability and Accountability Act (HIPAA), the Consumer Financial Protection Bureau (CFPB), the Foreign Corrupt Practices Act (FCPA), Dodd–Frank, the HITECH Act, and the Gramm-Leach-Bliley Act, and even the Open banking standard all call for certain degrees of third party risk management policies and controls.  

While these all vary in their specific requirements, the basic underlying notion is the same- companies cannot ignore their reasonability over 3rd parties they engage with. They need to ensure these 3rd parties adhere to the same levels of scrutiny and regulation as themselves, and take measures to evaluate and be able to demonstrate their supply chain security compliance on a continuous basis.

Navigating this regulatory landscape without the proper knowledge and tools is extremely difficult, time-consuming and risky. Findings can help you map the regulatory requirements and facilitate 3rd party risk management process.

You can have your cake and eat it (too)

It’s always nice to see something you are building grows and becomes a core key component in your customer’s experience.

This time we’re talking about Findings Notification system, which delivers events to your (and your supply chain’s) mail box, facilitates streamlined collaboration and process management.

The challenge with scalable notification engines is to balance between enabling standardized behavior in a massive amounts of notifications environment while enabling customization for the specific user needs.

If you’re not already familiar with Findings Notification system, let us bring you up to speed: by using the notification system, you can customize a handful of notification message types that, among others, includes:

  • Vendor notifications – all messages required along the vendor risk management life-cycle, including:
  • On-boarding notifications – supporting the vendors smooth entry to the system in the timeframe defined by yourself
  • New assessment request – inform your supply chain vendor about a new incoming assessment.
  • Set of reminder notifications
    • Assessment not started – in case the supply chain vendor did not start the assessment after a fixed period of time (defined by the platform or customized to your choice).
    • Assessment in progress – reminding the supply chain vendor they still have an ongoing assessment, pending findings to report, new chat notifications etc.
    • Assessment overdue – inform the supply chain vendor about an overdue assessment or upcoming due date.
  • Findings notifications – informing and tracking findings and their status of completion
  • Business owner/Procurement notifications – all messages related to a request for a supply chain vendor assessment by an internal business owner.

By customizing notifications, we mean that you have the ability to:

  • Change the email subject and content (using an advanced WYSIWYG editor)
  • Use your own outgoing email address (both SPF and DKIM are supported)
  • Ability to deliver a copy of the message to yourself & your teammates mail box

Over the last year we saw tremendous demand for feature requests, bug reports and high usage statistics all related to the notification system.

We took the time to analyze the key factors by observing our users usage behavior and come up with an awesome formula we believe can help them streamline their supply chain risk management and achieve even better results.

Notification delivered to supply chain can be automatically delivered (as a bcc) to the issuer’s organization admins to help them be on the same page, keep track of the recent event, so in case a user of the admins group is absent for any reason, his colleagues have the same information to work with. 

If a request for a new supply chain vendor issued by a business owner, this business owner user is automatically CC’ed to every outgoing email that the vendor receives, so he/she could also be part of the entire process status, and of course can assist in any inquiries received from the vendor’s response emails.

Lastly, if a supply chain vendor decides to response to an email sent by the customer, the email would be automatically delivered to the issuer organization owner, and if a business owner is part of the process, he should be CC’ed as well.
Would you like to give it a try? See it in action! Click here to try it.

Why VRM ?

findings fav

What is VRM, and how to start applying it to your supply chain risk?

A vendor notified a global enterprise that it suffered a data breach. That vendor was recorded at the Enterprise’s VRM system, which allowed the security and risk personnel to quickly assess the exposure and act accordingly. This manifestation of proper VRM process is what’s expected of modern enterprises and organizations, but sadly, it is very rare.

Gartner defines VRM (Vendor Risk Management) as “the process of ensuring that the use of service providers and IT suppliers does not create an unacceptable potential for business disruption or a negative impact on business performance”.

In a cybersecurity context, this means that organizations needs to ensure that elements in their supply chain, such as vendors, partners, integrated systems and others, does not expose them to unnecessary cyber risks. VRM (which is part of Risk Management) has been in the shadow of the more mainstream IT security, until very recently.

Organizations have invested heavily in securing their own perimeter, training personnel and refining their security procedures, all in the hope of thwarting an attack from an outside hacker. But since cybercriminals are like water- meaning, they always seek the path of less resistance, they found that they could gain entrance into heavily defended organizations by working their way up the supply chain. There, they could identify weaker entities with lesser security mechanisms, and utilize these to gain entry to their final objective. As of 2018, Supply chain attacks have increased 78 percent between 2017 and 2018, and a recent report states that Half of All Attacks in 2019 target the Supply Chain. This fact, alongside some very notable cyber breaches that were manifested through the supply chain (Target was infected via an HVAC maintenance contractor who had weak cybersecurity, WIPRO who was hacked and utilize for further attacks and its customers, etc. ) have brought this subject to the attention of boards, CISOs, Legal and Risk professionals across the world.

But awareness is not enough. Organizations need to understand if they should address this risk and how to mitigate it. Some organizations are mandated by law or regulation to engage in Vendor Risk Management. These include Critical National infrastructure, defense and homeland security industries as well as financial, healthcare entities. Others must address VRM as part of their obligation to adhere to GDPR and other privacy policies and regulations, such as the evolving CCPA. We will cover these aspects in follow- up blog posts. But when an organization decided it needs to address the VRM issue, it is usually shocked by the sheer volume of work ahead. This is a combination of the number of vendors that require validation (could easily reach hundreds for a medium sized organization) and the manual labor required to validate each and every vendor. Traditional VRM process required that a detailed questionnaire will be sent to the vendor, who would then fill to the best of his understanding. The questionnaire will then be sent back to the organization for processing, which required painstaking manual data entry into the organization’s own systems. This is a lengthy and expensive process that could have negative impact on business cycle and project execution times. Furthermore, the process must be revisited on a annual basis, or when switching (or adding) new vendors to the supply chain.

Faced with these challenges, organizations choose to prioritize, and focus their attention on the largest vendors or the ones perceived to pose the greatest risk. It is not uncommon for organizations to focus their VRM process on just 5% of their supply chain, leaving the bulk of their supply chain unaccounted for. Organization that choose to “Roll the dice” and play the Cost VS. Risk game, could find themselves in the crosshairs should they happen to miss out on that one vendor that eventually caused the breach.

Findings approaches this challenge with the view that ALL vendors must verified. We’ve built our technology platform to enable organization to automatically assess their exposure. Moreover, we’ve made it exceptionally easy for vendors to assess themselves. By removing friction we’ve enabled organizations to effectively assess their entire supply chain, without having to “Gamble” on who to check. In the case described at the beginning of this article, a global enterprise have used our system to vet all of its supply chain. That, of course, wouldn’t have been possible to achieve in the “old” (manual) methods. Having the vendor documented in their VRM system allowed them to quickly respond and communicate the necessary actions, both internally (to board of directors and management) and external (To customers, partners and authorities). Likely, the status of that particular vendor was such that no additional action was required. Had it not been validated and recorded in the VRM system, the process of understanding the exposure “post-mortem” would have taken days and not the 15 minutes that it took. Findings solution enabled the following benefits:

  • Complete coverage
  • Accuracy
  • Reduced time for the initial validation process
  • Reduced time of response once an event has occurred.

VRM technology supports enterprises that must assess, monitor and manage their risk exposure from third-party suppliers (TPSs) that provide IT products and services, or that have access to enterprise information. However, without an automated, scalable mechanism to support the data input, they are under-utilized and provide only partial coverage. Findings enables organization to fully utilize these solutions and gain a clear understating of their entire supply chain exposure.

Considerations For Evaluating Vendor Risk Management Solutions

The Vendor Risk Management (VRM) space has quickly become a hot topic this year.  It seems like everywhere you turn, new companies offering VRM solutions are popping up.  As we’ve seen with other markets in security, most vendors in the space use the same marketing buzzwords.  Each vendor seems to claim that it provides all of the same features and capabilities as the next vendor.  It can be quite difficult to make sense of the various players and what differentiates one from the next

It’s not difficult to see why Vendor Risk Management is an important function. The risk that third parties introduce into an organization needs to be understood and managed as an integral part of any strategic, holistic approach to risk management. Most organizations understand that point and are looking to address this critical business need in the near future.  So with all the confusion around the players in the VRM space, how can organizations make sense of the space and understand how to evaluate and differentiate between the different offerings?

1. One size does not fit all:
While there is significant overlap of controls across various different regulations, standards, and industries, the overlap is far from complete. Enterprises look at a variety of different concerns dependent on industry, company size, geography, type of data handled, type of electronic access to the enterprise, and many other parameters when evaluating the risk that third parties introduce.  Some of the concerns that enterprises have in the semiconductor industry will be different from those that enterprises in the financial sector have.  As will the concerns be different in the energy sector, healthcare, government, and other sectors.  If you’re looking at a VRM option that offers only a one-size-fits-all assessment with no ability to import your own custom assessment that addresses exactly the concerns that you are looking to evaluate, that should be a red flag.

2. Scans are insufficient:
Can scanning a vendor’s perimeter from the outside provide useful insight as to a portion of their overall security posture?  Absolutely.  But it is woefully inefficient in and of itself.  Scans tell us nothing about the people, process, and policy of the vendor.  They tell us nothing about what life is like on the “inside” day in and day out.  They offer nothing around how the vendor does or does not protect sensitive information.  And those are all important parts of what truly defines how effective a vendor’s security program is at managing and mitigating risk.

3. Metrics:
It should come as no surprise that in the spreadsheet, phone call, and interview-driven VRM world, metrics were very hard to come by.  Perhaps we could collect data on a few vendors and make individual assessments around their security postures.  But comparing between vendors?  Forget about it.  Tracking issues/gaps identified and working toward their resolution in a timely manner? No way.  Managing a well-documented, organized communication with the vendor from inside a centralized management platform?  Nope. Understanding the progress of each vendor and across various different groups and sets of vendors year over year?  Never happened.  An overall risk snapshot with the ability to slice and dice different reports across a series of parameters?  Not with the old way of doing things.  Looking at a VRM vendor that doesn’t provide you with all of these capabilities?  Move on.

4. Benchmarks:
Knowing the risk that a vendor or vendors introduce into our enterprise is great. But what about knowing how our risk or the risk of the vendors in our portfolio compares to others in our geography, industry, company size, or other parameters?  In my experience, this is an extremely important part of any VRM solution.  If your VRM provider doesn’t offer benchmarking, that should signal to you that it is time to move on.

5. Process is king:

Automated VRM automates and replace the spreadsheet, phone call, and interview driven world of vendor risk assessment past. Any viable VRM candidate needs to be able to provide an end-to-end automated process that can be quickly and easily managed from one centralized interface.  Anything else is simply  prehistoric in this day and age.

6. Don’t just tell me what is wrong:
Pointing out what is wrong is a start.  But suggesting how to address what is wrong and providing a seamless way to manage that process from start to finish is where the true value is in automated VRM. Advice around addressing issues/gaps and the wherewithal to see it through from start to finish is a true differentiating feature across VRM solutions.

7. Enable a decision:
In the end, enterprises need to understand their risk and use that information to make actionable decisions on what remediation is necessary.  Any serious VRM player needs to be able to facilitate, rather than fight, that process.

Findings was purpose-built to address all of these challenges to facilitate better vendor risk evaluation and management, better visibility into the supply chain, scalability and savings in cost and time.


Welcome to Findings Blog

Third Party Risk – also known as supply-chain security or VRM (Vendor Risk Management)is rapidly evolving to be one of the highest priority items within each and every security organization.

VRM has unique challenges, however, as it combines multidisciplinary data protection and privacy aspects, alongside regulatory implications and the need to operate at scale. Implementing an effective and efficient vendor auditing and risk management program is a challenge we at IDRRA decided to solve in order to help companies improve their respective security postures. This is why we decided to create this newsletter and blog – in order to be a strategic discussion resource around vendor risk management, supply-chain security, and related regulatory implications – around the world and across various industries. Our initiative helps organizations stay on top of and manage the rapidly changing regulatory landscape and the manual supply-chain security process.  Through these undertakings, alongside others, IDRRA seeks to improve and automate processes, as well as to give organizations the opportunity to better evaluate, understand, and address the risk that their vendors expose them to. As we continue to automate tedious time and labor-intensive manual processes, we will use this space to keep our readers up to date on the industry’s latest news and knowledge. I hope you will enjoy this newsletter, and we look forward to your thoughts and comments. Kobi Freedman

Supply Chain Integrity Month

April brings us spring weather, tax filing deadlines, and also supply chain integrity month.  


US-CERT is helping to call attention to an important risk that all organizations face.  Per the US-CERT posting (


The Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the Department of Defense (DOD) are partnering to promote the importance of supply chain security and risk management. Breaches in the supply chain provide an opportunity for malicious software or hardware to be installed on equipment. Lack of awareness or validation of the legitimacy of hardware and software presents a serious risk to users’ information and the overall integrity of a network environment.


Despite the risk that the supply chain introduces into organizations, it is all too often a problem that is approached inefficiently and ineffectively.


The Office of the Director of National Intelligence summarizes the problem quite well (


These adversaries exploit supply chain vulnerabilities to steal America’s intellectual property, corrupt our software, surveil our critical infrastructure, and carry out other malicious activities. They infiltrate trusted suppliers and vendors to target equipment, systems, and information used every day by the government, businesses, and individuals.


Of course, the problem extends well beyond just government and critical infrastructure.  It extends into all industries and sectors. Yet, organizations can hardly be faulted for paying Vendor Risk Management (VRM) less attention than it deserves.  Historically, VRM has been an area lacking creative, efficient, and helpful technological solutions. Instead, it has been an area overwhelmed by manual, labor-intensive processes that can’t possibly assess, manage, and mitigate the risk that the supply-chain poses.


At IDRRA, we believe in helping organizations efficiently and effectively tackle VRM.  It’s our passion, and it’s what drives and energizes us day-to-day. Our industry-leading platform takes the pain and headache out of the VRM process, allowing organizations to focus on reducing supply-chain risk.


Every month should be supply-chain integrity month, and with IDRRA, it is.  There is no time like the present to make the most of supply-chain integrity month and to get your VRM program off the ground.  In fact, IDRRA ( can help you get started – register for a free account today.