June 4, 2020
In Vendor Risk Management, It’s Not About The So Called ‘Talent Gap’
The amount of security professionals that have been hired by Corporate America over the past 10 years has been truly meterotic. I was talking to someone that started at Bank of America in 2012 and he mentioned they had 200 security professionals GLOBALLY. By the time he left 4 years later, that number was up to 2,000. I’m sure since then, the number has at least doubled, if not gone up by more.
With any labor market, when there is a dramatic increase in demand, it takes a bit of time before supply catches up. People have lamented for years about the shortage of Information Security professionals needed to fill the many open roles that are posted on job sites. My sense is that while there still is a bit of a shortage, the supply number has caught up tremendously.
One strategy for addressing this shortage has been for companies to adopt technology left and right. As one Security Consultant friend mentioned to me, “For years, CISOs would be given ever increasing budgets to go out and fix problems. They ended up buying a lot of technology that just ended up sitting on the shelf”.
Technology can help with automation on workflows that otherwise would need to be performed by humans. We’ve seen this work successfully across the Security landscape from SIEMs to Identity to Cloud Security.
One area where one might think the talent gap is a huge issue is Vendor Risk Management. There are a ton of vendor assessments that need to be conducted and not enough professionals to conduct them. A fully dedicated security professional could get through 200 assessments per year. But in many cases, large organizations have thousands of vendors to assess. And smaller organizations cannot dedicate an FTE to only conduct vendor assessments and have no other responsibilities.
After speaking with a security professional the other day, he mentioned that there was a ‘distortion in the market’. This distortion is that you have an upside down model as the existing standard for vendor risk management. Security professionals at many different companies essentially do a 6 hour review of the same vendor, over and over again. The quality of the review never increases but as more companies review that vendor the total amount of time spent increases.
The solution to this problem is not more security professionals doing the same work and perpetuating the existing model. It is a new solution and a new way to look at vendor risk management that also utilizes modern technology.