July 9, 2020
Shadow Buying And Vendor Assessments
One of the largest problems in vendor risk management is a company not conducting a security assessment of the vendor that is being procured. This generally happens in two scenarios.
The first scenario is when a company does not have a vendor risk management program in place to review the vendors that are being procured. In this case, no vendors are being reviewed at all. This scenario primarily happens when companies are too small to have any information security professionals or the professional has not yet been able to implement a program.
The second scenario is when a company has a vendor risk management program but there are a number of reasons that vendors “slip through the cracks”. In this scenario, “Shadow IT” (or let’s call it “Shadow Buying”) is usually the main culprit and is more prevalent than ever with the advent and availability of thousands of SaaS products, tailored to specific lines of business and incredibly easy to purchase and deploy (I’m not even including the world of app stores – which gets its own blog post).
The reason I expanded the use of the phrase “Shadow Buying” is because this can happen heavily throughout the organization and does not necessarily have to be the purchase of IT products. Law firms, tax consultants and even managed security providers will often escape the lens of a security assessment.
What is needed to ensure that vendors undergo proper scrutiny?
Information security expertise is a must as you will need someone that can evaluate a vendor’s security posture. But just as important is buy-in from the Executive Team on vendor risk as being a priority and a function that can scrutinize every vendor PRIOR to being purchased. In companies both newer and seasoned this can be a difficult pill to swallow.
New companies want to be fast and nimble, buying products and services that can help them reach their strategic initiatives quickly. More seasoned organizations have a habit of doing things that have worked in the past and only changing when absolutely necessary.
But with any initiative where the goal is to reduce risk, and especially strategic risk, there will be some sort of necessary trade-off. Unless you have support all the way from the top of the organization, it will be difficult to implement an effective vendor risk management program.