In a way, the Sony breach was really good for the cyber security community. A watershed moment in the industry’s history, it began a transformation from infosec as a compliance requirement – a nuisance – to a legitimate enterprise need, right up there with sales and product development (well, not exactly, but you get the idea). It prompted increased investment in infosec technologies (e.g. SIEM), and accelerated the development of new ones (e.g. UBA).
But, I’m afraid, it was not so good for the third party risk community.
“But Jeff. That’s silly. After Sony – and on the heels of Target especially – regulatory organizations and companies alike began to appreciate the importance of their vendors’ information security.”
My point exactly.
After Sony, the business world began equating enterprise risk with cyber/data risk. If your vendor was a low-risk for a data breach, mission accomplished. Ergo, many third party risk models concentrate on data security risk – and, frankly, just internet reputation – ignoring, or at least under-appreciating, other areas of risk to a typical enterprise. Your vendor may not have suffered a data breach ever, but they’ve just been flagged by the DOJ for selling chips to a hardware store in Tehran that happens to front for the Republican Guard. Another vendor has the cleanest IP reputation among your list of 1500 vendors, but its founder, CEO, and the recognized engine behind the organization’s success just resigned to “spend more time with his family”… which will begin with 90 days at the Betty Ford Clinic. And one of your critical suppliers (a private company) – experiencing a sharp decline in its credit rating over the past several quarters – has just filed for Chapter 11 bankruptcy protection. Oh, and it turns out your Chapter 11 vendor has a spotless IP reputation…. good to know.
Over the course of the history of business, there have been countless episodes of enterprises suffering damage as a result of their vendors/partners, and the vast majority of those episodes occurred long before cyber risk was part of anyone’s vocabulary. Did those primary risk elements disappear the day the first sensitive data file was stolen by the world’s first hacker? Oh, if it were so simple. (Blog writer free tip: never pass on an opportunity to quote Solzhenitsyn).
Third party risk comprises a number of elements, and those multiple elements are often inter-dependent. Internet reputation is, without question, one of them, but assessing a vendor’s internet reputation in a vacuum is like a football coach evaluating a prospect exclusively on the basis of their 40-yard dash time, with no consideration for their size, quickness, hands, skill set, performance history, competitive make-up, etc.
Our VTM product was developed by third party risk professionals. As part of that expertise, we understand internet reputation…most importantly, we understand it’s just one piece of the third party risk puzzle.
Drop us a line at firstname.lastname@example.org. We’ll be happy to tell you all about it.