Vendor management spans a wide variety of topics: from contracts, to metrics, to relationships, and beyond. But one of the most critical aspects of vendor management—particularly for a CISO—is how to manage the risk your vendors bring to the table.
We’ve outlined how to select your vendors, onboard them, and manage them continuously below—but before that, there are a few things you need to keep in mind:
You must be able to identify the risks you’re trying to mitigate.
There are risks associated with every vendor relationship—so the question becomes how important those potential risks are to you. In other words, what are the risks you’ll accept and which are just going to be too, well...risky?
You must have enough people in place to make the process work. 
Most CISOs don’t have enough team members in place to facilitate a dream vendor management process, which makes selecting the risks that they’ll address more critical. But it is important that you have a team with enough bandwidth to assess your vendor relationships during the selection and onboarding process—and most of all, on a continuous basis. Maximizing your team’s efficiency and making the most of the resources you have available will play a critical role in your vendor management and security.
1. Vendor Selection
Often, an organization may narrow a list of potential vendors down to the top 3-5 and pass it along. As the CISO, you are then responsible for helping your team assess the information security risks your organization may be subjected to with particular vendors.
In order to have an effective vendor selection process, you need to have a clear understanding of the kind of information that will be exchanged between your organization and the vendor’s organization.
- What level of access will they have? This may be a tiered internal system, with level one being the least critical amount of access and level four being the most critical amount of access.
- Which systems will they have access to?
- What kind of data will be shared between our organizations? Will you share customers’ personally identifiable information (PII), health care records, intellectual property, etc.?
What amount of access they have and what type of data will be shared are extremely important to know ahead of time. With all of this information in mind, you should have a better idea of how deep you’ll need to go with your vendor risk assessment. Different organizations present different levels of risk; some require an on-site assessment and penetration test (among other things), and others might be conducted from your desk. Once you have these answers, you’ll have a pretty good idea of whether or not you’ll want to move forward to the onboarding of a particular vendor.
Once you’ve assessed the risk associated with a particular category of vendor, you’ll want to look at the vendors and see how they compare. If there are any risks you’re not comfortable with, you need to look to the vendor to address those risks before they’re onboarded.
Boards need information about cybersecurity more than ever before. Can you present it effectively?
2. Vendor Onboarding
Once you’ve selected a vendor, it’s time to manage the onboarding process. That will likely involve some of the following:
- Putting contracts in place. Contracts can also be used to address some of the risk presented by a particular vendor, as clauses can be added to touch on topics you may feel present too much risk.
- Giving the vendor access or credentials to the systems you use for exchanging information. Of course, they should only have access to the systems that are absolutely critical for them to have access to—which needs to be part of your diligence process.
- Input the vendor into your GRC tool—if applicable—so you can measure and monitor going forward.
- Input the vendor into your continuous monitoring tool, if applicable. During the onboarding process, it is imperative to communicate with your vendor and tell them you’ll be monitoring them, how you’ll be doing so, and why you’ll be doing so. Keeping lines of communication open—and being highly transparent about your dashboards, metrics, KPIs, and monitoring methods—is critical for a positive vendor relationship.
3. Ongoing Vendor Management
When your vendor is onboarded, they should be assigned to a vendor manager or someone on your staff who can manage the working relationship going forward. This includes monitoring important KPIs and metrics, as well as conducting annual reviews of the vendor.
But remember that cyber risks are evolving every day—so once-a year-assessments are simply inadequate in terms of managing vendor risk. You need to know what is going on with your vendors on a day-to-day, hour-to-hour, and minute-to-minute basis. This is where continuous vendor risk monitoring comes into play. You don’t just see a snapshot in time of your vendor’s performance—you see a real-time view. This helps you become aware of any new risks so you can manage them quickly and appropriately.
In Summary
You can’t manage every single risk that your vendors present. It’s simply not possible in today’s threat landscape. What’s more is every vendor is different, and they simply cannot all be lumped together as far as risk is concerned.
Therefore, being able to identify the risks that are most relevant to your business—and focus on those that can have the biggest impact to your organization if they’re not correctly managed—is a skill every CISO needs to have.
