MRO Magazine

Keep Your Customers Close, and Your Vendors Closer


May 5, 2015
By Marketwired News

OVERLAND PARK, KS–(Marketwired – May 05, 2015) – You probably remember your close friends from childhood. You did everything together and they made you happy. Their mere presence proved vital to your well-being.

Many groups of friends had one or two members who could create as much havoc as joy. On the one hand they provided value to the greater group like having a pool, the latest video game system or good looking sister. On the other hand, these fringe friends always seemed to hold some inherent risk. The group had to keep close watch on them so they wouldn’t raid your pantry for snacks, break something, or the worst- leak the group’s most intimate secrets to everyone at school. They epitomized the saying, “keep your friends close, and your [fr]enemies closer.”

A simple reworking of this statement makes it hold true for businesses today: “Keep your customers close, and your vendors closer.” Think of your company as yourself and customers as your best friends whose existence is essential to your own. A company’s vendors are the kid down the block who provides a product or service to you (ultimately to benefit the customers as well), but at the inclusion of some risk. Instead of secrets being leaked at school of who has a crush on who, now you deal with sensitive stored data being leaked to the world via breach of a vendor. Although vendor risk management is not as simple as it was in those younger years, some of the basic principles still apply to thwart these embarrassing, reputation-destroying events.

Several companies beared this fate in 2014 as they saw sensitive data walk out the back door as a result of vendors who had been breached. The effects of such breaches are prolonged and still being felt well into this year. Brand reputation was damaged and the bottom fell out of some companies’ stock prices. And these costs are just the ripple effect of breaches. The Ponemon Institute reported that customer record theft due to third party breach cost, on average, $14.80 per record to the affected company.

If these breaches showed us anything, it’s that a company’s cybersecurity is only as good as that of its vendors. Because of this, industries are now seeing regulations revised to mandate enterprise risk management policies that extend to third-party vendors who have both cyber and physical access to the responsible organization.

Publications are bountiful that speak to what a successful vendor risk management program should entail. Regardless of the source, the foundational elements of a solid vendor risk management plan remain the same:

  • Comprehensive inventory of vendors with corresponding catalog of associated risks
  • Risk-based segmentation and prioritization
    • Limit/prioritize necessary access to available information, systems, etc
  • Establish governance procedures for addressing remediation
    • This may involve a centralized (one department solely owns remediation processes) or departmentalized (remediation is managed by department who owns vendor) governance, or a hybrid of both
    • Transparent, predetermined incident response plan
  • Reporting and workflow process of aforementioned incident response plan
    • Track and monitor relevant data; aid in workflow within and across business units; give managers a clear picture of real-time risk with actionable recommendations

Left to antiquated methods or legacy solutions, vendor risk management continues to be a resource-heavy undertaking. Second-generation GRC solutions change the game though. No longer is vendor management a matter of babysitting email strings and raking together scattered, supporting data documents. Information and documents are gathered in a central repository, regardless of if governance duties are siloed by departments. It doesn’t matter if you have two or 2,000 vendors that need to receive security/risk assessments, surveys, or scheduled update emails. A robust GRC solution, similar to LockPath’s Keylight platform,manages the entire vendor risk management lifecycle from assessment creation, to testing/surveying, risk documentation and remediation processes, incident response, and periodic reviews.

Relate this to the new kid that moved into the neighborhood who keeps “risky kid” in check. Everyone liked this new kid because he provided the group with an increased security and risk management posture. Utilizing a GRC solution does the same. It presents visibility into your organization’s vendor risk lineup, grants a clear understanding of vendor risk priority which, in turn, allows for an organized plan for risk remediation and incident management. At the end of the day, it’s a GRC solution that will truly let an organization keep its customers close, and its vendors closer.

About LockPath
LockPath is a market leader in corporate governance, risk management, regulatory compliance (GRC) and information security (InfoSec) software. The company’s flexible, scalable and fully integrated suite of applications is used by organizations to automate business processes, reduce enterprise risk and demonstrate regulatory compliance to achieve audit-ready status. LockPath serves a client base of global organizations ranging from small and midsize companies to Fortune 10 enterprises in more than 15 industries. The company is headquartered in Overland Park, Kansas.

Image Available: http://www.marketwire.com/library/MwGo/2015/4/29/11G039992/Images/iStock_000042231506_Large-640302750946.jpg