3 Things CISOs Need to Get Right in Vendor Management

When it comes to vendor management, there are three things a chief information security officer (CISO) must get right when it comes to securing their organization. These are:

1. Assurance reporting to understand the controls in place around the services received
2. Qualified personnel
3. Incident response and business continuity plans

Let’s break down why these three things are pivotal to a CISO, what they involve, and how to go about ensuring you’re meeting best practices.

Why Do They Matter?

CISOs help organizations manage risk, face threats, and work through resource challenges in their day-to-day positions. In recent years, vendor management risk has risen in prominence, making headlines too often. The challenge of protecting the organization from cyberattacks or breaches from vendors falls right into the lap of the CISO, who must keep the business secure.

What Do These Three Points Entail?

First, it’s important to start with ensuring you understand what controls the vendor or third party utilize by reviewing their assurance and compliance reports. This process will help you confirm that the vendor you are working with has proper oversight of the controls affecting your data or service. SOC 2 reports, third-party risk assessments, and security questionnaires will provide most of the relevant control areas your vendors should have in place.

Second, ensure your organization’s vendors have qualified personnel. The current job market sees personnel leaving and changing roles very quickly. You will want to be absolutely sure that your vendor has the right people providing the service you rely on.

Third, make certain your vendors have an established and tested incident response (IRP) and business continuity plans (BCP). A comprehensive IRP and BCP can help mitigate potential vendor risk. Say a critical vendor encounters an issue that impacts your organization, its data, or its systems – a thorough IRP and BCP can help resolve this issue before it becomes an even bigger problem.

How Can a CISO Check These Boxes?

CISOs can leverage networking groups who have used specific vendors in the past. Additionally, CISOs should utilize organizations that specialize in reviewing vendor assurance reports and assist numerous clients with vendor risk management.

Virtual CISOs can work with organizations to remove the challenges of building out the vendor management function. These organizations can also help with processing these vendor relationship risks.

Wolf & Company can assist your business in investigating and understanding its cybersecurity and information security needs, and build the programs and structures necessary to ensure you are mitigating third-party vendor risk.