The Importance of Vendor Risk Assessments

When buying a car, do you rush right out to the dealership and purchase the first car you find online? Or, do you perform your research and kick the tires, taking it for a test drive? Most of us will conduct our “due diligence” before buying a car and this includes researching the types of cars we’d like to buy, taking several test drives and checking out the mechanics of the car.  This same due diligence should be done for each of the vendors that you plan to use within your company in the form of a vendor risk assessment, regardless of their size. In fact, current vendors within your company should be reviewed every one to two years. For example, did someone review their financials? Do you know if you can get your data back if they go bankrupt? Do you know if they’re governed by laws outside of your country?

In larger companies, vendor risk assessments are typically performed by risk analysts, technology auditors, and information security folks, working in conjunction with the vendor management and procurement departments. In smaller companies, there may be a one or two person team responsible for conducting the vendor risk assessment. In many startup organizations, vendor risk assessments can be an afterthought. If you don’t perform a vendor risk assessment on your vendors today, take a look at this Risk Assessment Toolkit from the State of California’s Department of Technology, Information Security Office to get you started. There are many other sample templates and resources available online, as well. This is a great video on assessing technology vendor risk and security from Monte Ratzlaff, Security Manager, at UC Davis Health System, as he presents “Vendor Risks: Evaluating the Security of New Technology”.

At this point, some of you may think, “well, I don’t need a risk assessment on ____ vendor (insert name of vendor), they’re huge!”. Right? Wrong. I’ve worked with technology audit professionals on the review of hundreds (if not thousands) of technology vendors and yes, some of those “huge” vendors can have red flags for you and your company. Whether it’s the fact that they’re in the middle of a merger, they’re outsourcing their development team, or they don’t have enough insurance to cover you in the event of a breach, the scenarios can vary, depending upon what your company considers a risk and how that risk is categorized. If you need a tool to understand risks associated with the project you’re considering, take a look at this post by BrightHub PM, it has a lot of great info on creating a risk matrix and how to use it.

In the end, just think of a vendor risk assessment as a way to kick the tires of the prospective vendor before buying a lemon whose carburetor is going to explode once you drive it off the lot. If you’re interested in performing a proof of concept or proof of technology with the vendor once they pass the vendor risk assessment, check out a former post that I wrote on this topic and good luck!

Target’s Data Breach and its Impact on Technology Procurement

From the C suite down to the help desk, everyone will remember the Target data breach. However, many organizations think about security last when procuring software. They’re more concerned about speed to market, not whether they’ll be facing millions of dollars in penalties for a data breach. In an article entitled “Marrying IT Risk Management with Enterprise Procurement”, Ericka Chickowski details the need for vendor risk to be evaluated during the procurement or contracting phase.

I agree with Ericka’s article and wish that more organizations would see the value in conducting vendor risk assessments in the procurement or contracting phase of an engagement, instead of attempting to clean up after a data breach or other security issue. An older article written by Tim Burt prophetically explores the sensitive data involved in cloud computing and it’s effect on Procurement.

In the race to purchase software from a vendor, organizations should temper that speed with sound vendor and risk analysis in the procurement or contracting phase of an engagement.  It shouldn’t take a data breach for organizations to remember that, but sometimes it does.

Below is a great video on assessing technology vendor risk and security from Monte Ratzlaff, Security Manager, at UC Davis Health System, as he presents “Vendor Risks: Evaluating the Security of New Technology”: