Tag Archives: VRM

Why VRM ?

findings fav

What is VRM, and how to start applying it to your supply chain risk?

A vendor notified a global enterprise that it suffered a data breach. That vendor was recorded at the Enterprise’s VRM system, which allowed the security and risk personnel to quickly assess the exposure and act accordingly. This manifestation of proper VRM process is what’s expected of modern enterprises and organizations, but sadly, it is very rare.

Gartner defines VRM (Vendor Risk Management) as “the process of ensuring that the use of service providers and IT suppliers does not create an unacceptable potential for business disruption or a negative impact on business performance”.

In a cybersecurity context, this means that organizations needs to ensure that elements in their supply chain, such as vendors, partners, integrated systems and others, does not expose them to unnecessary cyber risks. VRM (which is part of Risk Management) has been in the shadow of the more mainstream IT security, until very recently.

Organizations have invested heavily in securing their own perimeter, training personnel and refining their security procedures, all in the hope of thwarting an attack from an outside hacker. But since cybercriminals are like water- meaning, they always seek the path of less resistance, they found that they could gain entrance into heavily defended organizations by working their way up the supply chain. There, they could identify weaker entities with lesser security mechanisms, and utilize these to gain entry to their final objective. As of 2018, Supply chain attacks have increased 78 percent between 2017 and 2018, and a recent report states that Half of All Attacks in 2019 target the Supply Chain. This fact, alongside some very notable cyber breaches that were manifested through the supply chain (Target was infected via an HVAC maintenance contractor who had weak cybersecurity, WIPRO who was hacked and utilize for further attacks and its customers, etc. ) have brought this subject to the attention of boards, CISOs, Legal and Risk professionals across the world.

But awareness is not enough. Organizations need to understand if they should address this risk and how to mitigate it. Some organizations are mandated by law or regulation to engage in Vendor Risk Management. These include Critical National infrastructure, defense and homeland security industries as well as financial, healthcare entities. Others must address VRM as part of their obligation to adhere to GDPR and other privacy policies and regulations, such as the evolving CCPA. We will cover these aspects in follow- up blog posts. But when an organization decided it needs to address the VRM issue, it is usually shocked by the sheer volume of work ahead. This is a combination of the number of vendors that require validation (could easily reach hundreds for a medium sized organization) and the manual labor required to validate each and every vendor. Traditional VRM process required that a detailed questionnaire will be sent to the vendor, who would then fill to the best of his understanding. The questionnaire will then be sent back to the organization for processing, which required painstaking manual data entry into the organization’s own systems. This is a lengthy and expensive process that could have negative impact on business cycle and project execution times. Furthermore, the process must be revisited on a annual basis, or when switching (or adding) new vendors to the supply chain.

Faced with these challenges, organizations choose to prioritize, and focus their attention on the largest vendors or the ones perceived to pose the greatest risk. It is not uncommon for organizations to focus their VRM process on just 5% of their supply chain, leaving the bulk of their supply chain unaccounted for. Organization that choose to “Roll the dice” and play the Cost VS. Risk game, could find themselves in the crosshairs should they happen to miss out on that one vendor that eventually caused the breach.

Findings approaches this challenge with the view that ALL vendors must verified. We’ve built our technology platform to enable organization to automatically assess their exposure. Moreover, we’ve made it exceptionally easy for vendors to assess themselves. By removing friction we’ve enabled organizations to effectively assess their entire supply chain, without having to “Gamble” on who to check. In the case described at the beginning of this article, a global enterprise have used our system to vet all of its supply chain. That, of course, wouldn’t have been possible to achieve in the “old” (manual) methods. Having the vendor documented in their VRM system allowed them to quickly respond and communicate the necessary actions, both internally (to board of directors and management) and external (To customers, partners and authorities). Likely, the status of that particular vendor was such that no additional action was required. Had it not been validated and recorded in the VRM system, the process of understanding the exposure “post-mortem” would have taken days and not the 15 minutes that it took. Findings solution enabled the following benefits:

  • Complete coverage
  • Accuracy
  • Reduced time for the initial validation process
  • Reduced time of response once an event has occurred.

VRM technology supports enterprises that must assess, monitor and manage their risk exposure from third-party suppliers (TPSs) that provide IT products and services, or that have access to enterprise information. However, without an automated, scalable mechanism to support the data input, they are under-utilized and provide only partial coverage. Findings enables organization to fully utilize these solutions and gain a clear understating of their entire supply chain exposure.

Considerations For Evaluating Vendor Risk Management Solutions

The Vendor Risk Management (VRM) space has quickly become a hot topic this year.  It seems like everywhere you turn, new companies offering VRM solutions are popping up.  As we’ve seen with other markets in security, most vendors in the space use the same marketing buzzwords.  Each vendor seems to claim that it provides all of the same features and capabilities as the next vendor.  It can be quite difficult to make sense of the various players and what differentiates one from the next

It’s not difficult to see why Vendor Risk Management is an important function. The risk that third parties introduce into an organization needs to be understood and managed as an integral part of any strategic, holistic approach to risk management. Most organizations understand that point and are looking to address this critical business need in the near future.  So with all the confusion around the players in the VRM space, how can organizations make sense of the space and understand how to evaluate and differentiate between the different offerings?

1. One size does not fit all:
While there is significant overlap of controls across various different regulations, standards, and industries, the overlap is far from complete. Enterprises look at a variety of different concerns dependent on industry, company size, geography, type of data handled, type of electronic access to the enterprise, and many other parameters when evaluating the risk that third parties introduce.  Some of the concerns that enterprises have in the semiconductor industry will be different from those that enterprises in the financial sector have.  As will the concerns be different in the energy sector, healthcare, government, and other sectors.  If you’re looking at a VRM option that offers only a one-size-fits-all assessment with no ability to import your own custom assessment that addresses exactly the concerns that you are looking to evaluate, that should be a red flag.

2. Scans are insufficient:
Can scanning a vendor’s perimeter from the outside provide useful insight as to a portion of their overall security posture?  Absolutely.  But it is woefully inefficient in and of itself.  Scans tell us nothing about the people, process, and policy of the vendor.  They tell us nothing about what life is like on the “inside” day in and day out.  They offer nothing around how the vendor does or does not protect sensitive information.  And those are all important parts of what truly defines how effective a vendor’s security program is at managing and mitigating risk.

3. Metrics:
It should come as no surprise that in the spreadsheet, phone call, and interview-driven VRM world, metrics were very hard to come by.  Perhaps we could collect data on a few vendors and make individual assessments around their security postures.  But comparing between vendors?  Forget about it.  Tracking issues/gaps identified and working toward their resolution in a timely manner? No way.  Managing a well-documented, organized communication with the vendor from inside a centralized management platform?  Nope. Understanding the progress of each vendor and across various different groups and sets of vendors year over year?  Never happened.  An overall risk snapshot with the ability to slice and dice different reports across a series of parameters?  Not with the old way of doing things.  Looking at a VRM vendor that doesn’t provide you with all of these capabilities?  Move on.

4. Benchmarks:
Knowing the risk that a vendor or vendors introduce into our enterprise is great. But what about knowing how our risk or the risk of the vendors in our portfolio compares to others in our geography, industry, company size, or other parameters?  In my experience, this is an extremely important part of any VRM solution.  If your VRM provider doesn’t offer benchmarking, that should signal to you that it is time to move on.

5. Process is king:

Automated VRM automates and replace the spreadsheet, phone call, and interview driven world of vendor risk assessment past. Any viable VRM candidate needs to be able to provide an end-to-end automated process that can be quickly and easily managed from one centralized interface.  Anything else is simply  prehistoric in this day and age.

6. Don’t just tell me what is wrong:
Pointing out what is wrong is a start.  But suggesting how to address what is wrong and providing a seamless way to manage that process from start to finish is where the true value is in automated VRM. Advice around addressing issues/gaps and the wherewithal to see it through from start to finish is a true differentiating feature across VRM solutions.

7. Enable a decision:
In the end, enterprises need to understand their risk and use that information to make actionable decisions on what remediation is necessary.  Any serious VRM player needs to be able to facilitate, rather than fight, that process.

Findings was purpose-built to address all of these challenges to facilitate better vendor risk evaluation and management, better visibility into the supply chain, scalability and savings in cost and time.


Welcome to Findings Blog

Third Party Risk – also known as supply-chain security or VRM (Vendor Risk Management)is rapidly evolving to be one of the highest priority items within each and every security organization.

VRM has unique challenges, however, as it combines multidisciplinary data protection and privacy aspects, alongside regulatory implications and the need to operate at scale. Implementing an effective and efficient vendor auditing and risk management program is a challenge we at IDRRA decided to solve in order to help companies improve their respective security postures. This is why we decided to create this newsletter and blog – in order to be a strategic discussion resource around vendor risk management, supply-chain security, and related regulatory implications – around the world and across various industries. Our initiative helps organizations stay on top of and manage the rapidly changing regulatory landscape and the manual supply-chain security process.  Through these undertakings, alongside others, IDRRA seeks to improve and automate processes, as well as to give organizations the opportunity to better evaluate, understand, and address the risk that their vendors expose them to. As we continue to automate tedious time and labor-intensive manual processes, we will use this space to keep our readers up to date on the industry’s latest news and knowledge. I hope you will enjoy this newsletter, and we look forward to your thoughts and comments. Kobi Freedman

Supply Chain Integrity Month

April brings us spring weather, tax filing deadlines, and also supply chain integrity month.  


US-CERT is helping to call attention to an important risk that all organizations face.  Per the US-CERT posting (https://www.us-cert.gov/ncas/current-activity/2019/04/01/Supply-Chain-Integrity-Month):


The Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the Department of Defense (DOD) are partnering to promote the importance of supply chain security and risk management. Breaches in the supply chain provide an opportunity for malicious software or hardware to be installed on equipment. Lack of awareness or validation of the legitimacy of hardware and software presents a serious risk to users’ information and the overall integrity of a network environment.


Despite the risk that the supply chain introduces into organizations, it is all too often a problem that is approached inefficiently and ineffectively.


The Office of the Director of National Intelligence summarizes the problem quite well (https://www.dni.gov/index.php/ncsc-what-we-do/ncsc-supply-chain-threats):


These adversaries exploit supply chain vulnerabilities to steal America’s intellectual property, corrupt our software, surveil our critical infrastructure, and carry out other malicious activities. They infiltrate trusted suppliers and vendors to target equipment, systems, and information used every day by the government, businesses, and individuals.


Of course, the problem extends well beyond just government and critical infrastructure.  It extends into all industries and sectors. Yet, organizations can hardly be faulted for paying Vendor Risk Management (VRM) less attention than it deserves.  Historically, VRM has been an area lacking creative, efficient, and helpful technological solutions. Instead, it has been an area overwhelmed by manual, labor-intensive processes that can’t possibly assess, manage, and mitigate the risk that the supply-chain poses.


At IDRRA, we believe in helping organizations efficiently and effectively tackle VRM.  It’s our passion, and it’s what drives and energizes us day-to-day. Our industry-leading platform takes the pain and headache out of the VRM process, allowing organizations to focus on reducing supply-chain risk.


Every month should be supply-chain integrity month, and with IDRRA, it is.  There is no time like the present to make the most of supply-chain integrity month and to get your VRM program off the ground.  In fact, IDRRA (https://idrra.com/) can help you get started – register for a free account today.