Third-party risk management is an essential element of information security. It is common to see news about a large company being breached, and after learning more, you find out the breach was the result of a vendor. When you depend on another organization for a critical business process and allow them access to your network, facility, or data, there is risk to your organization—and it is essential to manage that risk.
But what happens when the vendor has deficiencies in their own security program? Generally, there are a few ways companies manage these situations: You can choose to use a different vendor, you can put compensating controls in place, or you can hold off on using them until they improve their controls.
From Vendor Compliance to Vendor Enablement
We encourage a fourth option whenever possible. We refer to it as ‘vendor enablement,’ and it focuses on treating vendors as partners (and we are not just saying that because we are vendors ourselves).
Vendor enablement is all about helping your vendors improve their security program so that it is aligned to your security requirements. While it sounds altruistic, this approach is often mutually beneficial, and in some situations, it can be the only path forward, such as when a security-challenged vendor is the only one that can provide an essential service or when specific vendors are ‘strongly encouraged’ based on existing business relationships with executives or board members.
In situations like these, working with the vendor to improve their security program can be a win for everyone involved. You end up with a more secure vendor, the vendor ends up with a better information security program, and any existing relationships and processes remain intact.
Effective vendor enablement is rooted in vendor assessment processes. When assessing a vendor, rather than just outlining problems, offer concrete recommendations for how to improve their program and suggest ways that you can help. It seems like a simple concept, but it is not as common as it should be.
While it is natural to think, ‘We pay for this service—why should we invest more time, money, and information to improve their products?’ There are actually quite a few reasons:
- It is often significantly faster and more cost effective than trying to rip-and-replace current vendors—especially when they are highly embedded in your organization.
- It promotes your security and/or compliance teams as enablers rather than roadblocks.
- It leverages executive and board member relationships, rather than fighting against them.
Give and Get
Additionally, you should feel free to ask for something to offset your efforts when warranted. Discounts, additional support hours, or access to new features are common requests when helping partners improve their solutions.
But do not ask for too much here. The focus should be on helping your vendor’s team address your risks as efficiently as possible without significantly hurting your organization, not trying to take advantage of a vendor’s challenges.
We are in This Together
Most people want to do the right thing and your vendors are likely no exception. Like teams within your organization, they may be limited by money, time, and lack of expertise. Understanding their resource shortfalls and tailoring your enablement approach accordingly is the hallmark of an effective enablement program.
- If your vendor is lacking expertise that your teams have, get your experts to share their knowledge and/or help define a way to meet in the middle.
- If your vendor is lacking the time to solve your issue, offer to provide solutions to their needs. For instance, if they have no vendor management, giving them your questionnaires and processes can eliminate the time they need to generate these tools. This has the added benefit of being directly aligned to the risks that matter most to you.
- If they are lacking the funding to implement a tool or perform an assessment, offer to source and/or pay for a portion of it in exchange for product discounts or additional services.
Partnerships like these not only lead to better security, but often have the added benefits of enabling better prices, better services, and being more ‘top of mind’ for vendors when they are making changes to their products and services.
Better Alignment From Top to Bottom
Additionally, helping vendors fix your issues means that their updated products and services will be inherently aligned to what you need, rather than having them update the product or service only to miss something that was important to you. It can even turn difficult conversations into wins.
While a classic vendor management approach may entail telling a board member, “We cannot use your preferred solution because they are not a good fit,” an approach focused on vendor enablement will allow you to say, “You know that solution you love? We have not only implemented it—we have helped make them even better!”