October 20, 2020
A New Model For Vendor Risk Management
Teepee has developed a new model for vendor risk management. The prevailing model encourages companies to conduct a risk assessment of their critical vendors on a regular basis (many do this once per year). In theory, this is not a bad model with a limited scope of vendors, but it gets crushed by the scale of the current vendor ecosystem.
The result is that few companies conduct an annual risk assessment of their vendors or they conduct an extremely watered down version of a risk assessment (i.e. making sure they have the vendor’s latest SOC report on file).
This model grew out from a vendor environment that is very different from the one today. This article from 2006 is about GM outsourcing IT Operations and is a great example of the difference between 15 years ago and today.
You can imagine that in 2006, it was not out of the realm of possibilities for the largest companies (i.e. GM) to conduct cyber risk assessments of their critical vendors (i.e. Wipro). This is because:
- The number of vendors that held digital data was far less.
- The amount of digital data that was being created was far less.
- The ratio of the resources needed to conduct a risk assessment to the size of the vendor contract was miniscule.
In today’s vendor environment, we have thousands upon thousands of cloud and Saas vendors that have a point solution for every work process that exists in your company. The amount of data that is being generated by your company has skyrocketed. And the amount of data that is leaving your company to these outside vendors has also skyrocketed.