Third-Party Risk Management and its Role in Today’s Data Breach Environment

10-29-2018, 08:53   Blog   


I don’t know about you, but my experience has been that whenever a vendor contract came up for review, it was a business team that generated the request for a data security risk assessment. And this was if - and only if - someone in the business recognized that the vendor exchanged data with us in some fashion. Cherry picking the short list of vendors for risk reviews has long been the standard practice for most of the companies I’ve come across in my career. This process needs a major overhaul if we’re going to be in a position to defend our corporate assets in the midst of the current threat landscape.

For better or worse, when it comes to technology with all its opportunities and threats, we are all linked together. You might think of it as a “modern chain gang.”

One of the things that the general public learned after the infamous data breaches at retail giants Home Depot and Target, was that service providers introduced the malware into both environments to exploit their systems. Ironically, both Target and Home Depot had pretty robust data security controls in place to protect the way they handled their own data. From where I sit, the business group requesting the third-party product or service is part of the corporate dog wagging the proverbial information security tail. Carrying on with this metaphor, it’s pretty easy to see that these two retail “big dogs” bit their own tails. The buck-passing might stop with information security, but it often starts with the business. It’s easy to point the finger at the teams responsible for protecting sensitive data when something goes wrong. But in the case of vendor risk management, the information security experts can’t protect against risks that their business teams are introducing into their environments if business vendor relationship managers are not flagging vendors for risk reviews. How do we band together to change the process? That, my friends, was Target’s $120 million-dollar question.


It seems that it’s been tough for the folks in procurement to keep up with the rapidly changing ways companies are conducting business in this “post-economic downturn” era. The procurement processes that may have worked well during the ‘good times’ – when the threat landscape was different and saving money didn’t include cutting down on vendor security reviews – just doesn’t cut it today.

Companies with less money, less people, less time have forced business and technology teams to rely on their creativity to get the job done. Creativity is often a nice way to say “cutting corners.” As a case in point, the use of third parties for outsourced IT and Cloud services is quickly becoming the new operating norm. These practices are generally driven by cost reductions, time-to-market and competitive pressures, and attempts to fill gaps in existing talent pools. Additionally, the large volume of regulated company-critical and customer-sensitive data that is accessed, managed, stored and transmitted through third parties continues to flow freely, at accelerated rates, with no slow-down in sight. The underlying technologies that support these workflows and business processes tend to introduce risk, as they are often not deployed, managed or governed in an optimal and completely secure fashion. Consequently, due to high profile news reports of breaches caused by these problems, Board members and senior executives have become more aware of the equally disastrous problems that could arise within their own organizations. Accordingly, there is an unprecedented focus being placed on enterprise security, IT governance, and risk management in an era when security teams have been down sized and security budgets have plateaued.

With the limited resources they have, many companies have to focus on current initiatives rather than on unearthing third party risk exposures for companies that the business has on-boarded in the past especially when no one is asking them to do it. The result is that all parties are turning a blind eye to the situation. I like to refer to the group of vendors providing services prior to the current date, as “Yesterday” vendors. It’s understandable why many ‘yesterday vendors’ were not reviewed for risk when they were originally on-boarded. Times may have been different and procurement processes may not have been mature enough to include risk reviews. Today, ‘yesterday vendors’ continue to support their customers but at what cost? In the world of HIPAA / Omnibus and other data security regulations, not knowing who your vendors are and what they do for you is not going to excuse companies from their responsibility to safeguard the confidential data of their shareholders, customers, business partners and employees. Put very simply, Procurement is the first stop on the train. It has taken ownership for identifying the list of active vendors supporting their business teams, what these vendors do for them and which vendors should be reviewed for data security risks. And, these vendors should be reviewed on an annual basis so the information security teams can remain ahead of the curve. 

Many organizations give their suppliers the benefit of the doubt and believe that their own companies can handle any exposure by assuming:
  • Internal teams have robust controls in place to mitigate external vendor cyber security risks
  • Vendors have mature IT controls in place (with no evidence to substantiate this belief)
  • Internal procurement procedures do a great job of cherry picking vendors to review 


The reality is that there are security-related holes in virtually every supplier’s ecosystem. The trick is to identify and rectify them as soon as possible; preferably before you on-board them and they introduce risks to your environment. It makes sense that most organizations overlook vendor risk to stay focused on tasks that increase their bottom line revenue, company cost-savings or help them gain competitive advantage. You may never have given this much thought or you may believe that your firm does a pretty good job determining where your vendors stand when it comes to data privacy and security risk, but before you exhale that sigh of relief, do yourself a favor and answer the following questions.

Take this simple test:
  • Can you identify all the suppliers who are actively providing services to your company?
  • Do you conduct an annual review of these active suppliers to determine the subset that is exchanging data electronically with you or connecting to any of your systems?
  • Do you maintain a comprehensive list of suppliers ranked by the severity of the risks they pose to your company?
  • Do you work with the most risky vendors to put remediation plans in place to mitigate the risks you’ve discovered?
  • Do you have transparency into the data security risks in your vendor’s eco-system? 
If you responded “no” to one or more of these questions, here’s the good news: you are not alone. I’m afraid the bad news is that like the Target data security team, you may be held responsible for exploits triggered by your third-party relationships; the new data security rules require a “yes” response to all of them. If you’re thinking that it’s virtually impossible for information security to respond yes to all these questions you’d be correct. The only team equipped with the tools and the knowledge to respond “yes’” to all these questions is the procurement team – but they are not always in a position to provide this important risk information to your organization.

In many ways, Procurement has inadvertently been playing Russian roulette with data security risks in its supply chain and has managed to dodge some bullets; but when the shots ring out, it’s most often the Information Security Team that takes the hit.
The next installment of this blog post will lay out the steps for properly managing vendor risk to your company. 


Rick D’Angona is founder of 3PAS (, a vendor credentialing and risk assessment company established on the principle that vendor credentials and risk assessments should be universally accessible and shareable between companies doing business together as part of the global economy. 3PAS has a proven process for providing vendor due diligence assessments. This process is provided without extra cost to cleverDome members. To learn more about cleverDome and its alliance with 3PAS and how we can help with your vendor due diligence, click here.