What is VRM, and how to start applying it to your supply chain risk?
A vendor notified a global enterprise that it suffered a data breach. That vendor was recorded at the Enterprise’s VRM system, which allowed the security and risk personnel to quickly assess the exposure and act accordingly. This manifestation of proper VRM process is what’s expected of modern enterprises and organizations, but sadly, it is very rare.
Gartner defines VRM (Vendor Risk Management) as “the process of ensuring that the use of service providers and IT suppliers does not create an unacceptable potential for business disruption or a negative impact on business performance”.
In a cybersecurity context, this means that organizations needs to ensure that elements in their supply chain, such as vendors, partners, integrated systems and others, does not expose them to unnecessary cyber risks. VRM (which is part of Risk Management) has been in the shadow of the more mainstream IT security, until very recently.
Organizations have invested heavily in securing their own perimeter, training personnel and refining their security procedures, all in the hope of thwarting an attack from an outside hacker. But since cybercriminals are like water- meaning, they always seek the path of less resistance, they found that they could gain entrance into heavily defended organizations by working their way up the supply chain. There, they could identify weaker entities with lesser security mechanisms, and utilize these to gain entry to their final objective. As of 2018, Supply chain attacks have increased 78 percent between 2017 and 2018, and a recent report states that Half of All Attacks in 2019 target the Supply Chain. This fact, alongside some very notable cyber breaches that were manifested through the supply chain (Target was infected via an HVAC maintenance contractor who had weak cybersecurity, WIPRO who was hacked and utilize for further attacks and its customers, etc. ) have brought this subject to the attention of boards, CISOs, Legal and Risk professionals across the world.
But awareness is not enough. Organizations need to understand if they should address this risk and how to mitigate it. Some organizations are mandated by law or regulation to engage in Vendor Risk Management. These include Critical National infrastructure, defense and homeland security industries as well as financial, healthcare entities. Others must address VRM as part of their obligation to adhere to GDPR and other privacy policies and regulations, such as the evolving CCPA. We will cover these aspects in follow- up blog posts. But when an organization decided it needs to address the VRM issue, it is usually shocked by the sheer volume of work ahead. This is a combination of the number of vendors that require validation (could easily reach hundreds for a medium sized organization) and the manual labor required to validate each and every vendor. Traditional VRM process required that a detailed questionnaire will be sent to the vendor, who would then fill to the best of his understanding. The questionnaire will then be sent back to the organization for processing, which required painstaking manual data entry into the organization’s own systems. This is a lengthy and expensive process that could have negative impact on business cycle and project execution times. Furthermore, the process must be revisited on a annual basis, or when switching (or adding) new vendors to the supply chain.
Faced with these challenges, organizations choose to prioritize, and focus their attention on the largest vendors or the ones perceived to pose the greatest risk. It is not uncommon for organizations to focus their VRM process on just 5% of their supply chain, leaving the bulk of their supply chain unaccounted for. Organization that choose to “Roll the dice” and play the Cost VS. Risk game, could find themselves in the crosshairs should they happen to miss out on that one vendor that eventually caused the breach.
Findings approaches this challenge with the view that ALL vendors must verified. We’ve built our technology platform to enable organization to automatically assess their exposure. Moreover, we’ve made it exceptionally easy for vendors to assess themselves. By removing friction we’ve enabled organizations to effectively assess their entire supply chain, without having to “Gamble” on who to check. In the case described at the beginning of this article, a global enterprise have used our system to vet all of its supply chain. That, of course, wouldn’t have been possible to achieve in the “old” (manual) methods. Having the vendor documented in their VRM system allowed them to quickly respond and communicate the necessary actions, both internally (to board of directors and management) and external (To customers, partners and authorities). Likely, the status of that particular vendor was such that no additional action was required. Had it not been validated and recorded in the VRM system, the process of understanding the exposure “post-mortem” would have taken days and not the 15 minutes that it took. Findings solution enabled the following benefits:
- Complete coverage
- Reduced time for the initial validation process
- Reduced time of response once an event has occurred.
VRM technology supports enterprises that must assess, monitor and manage their risk exposure from third-party suppliers (TPSs) that provide IT products and services, or that have access to enterprise information. However, without an automated, scalable mechanism to support the data input, they are under-utilized and provide only partial coverage. Findings enables organization to fully utilize these solutions and gain a clear understating of their entire supply chain exposure.