Ok, so you did everything right… you sent your vendor a Standard Information Gathering (SIG) scoped based on data and service type, you analyzed the responses, decided to perform an on-site assessment using the Agreed Upon Procedure (AUP), and helped identify security gaps that needed to be addressed. Everything seemed to be aligned with your risk management process and you were seeing progress… but then your vendor’s core software got breached and your customer data was exposed. You hadn’t focused heavily on the software security since this wasn’t generally in your purview and the basic information you had received back from the SIG seemed to indicate appropriate security controls were in place. You started wondering what had gone wrong and what you could have done differently.
While there are often significant non-financial benefits to understanding your vendors’ controls, many executives are still “fuzzy” on why they need a third party or vendor risk management program. Generally, an organization outsources a business function to a service provider because it is less expensive than staffing the expertise and building the infrastructure internally. Building oversight (and additional cost) to manage the risks posed by these relationships into the budget seemingly reduces the ROI. However, not fully understanding these risks can cost the organization significantly more during and after a data breach. Once the decision is made to outsource, the sharing of sensitive information is a requirement; and due diligence becomes one of the only mechanisms to understand whether the third party has the necessary controls in place to protect your data.