Supplier Security Governance: A risk and business-centric approach
The link opens a PDF of slides from a presentation I recently gave to Manchester University IT Governance and Computer Science masters students.
It represents a high-level view of justifications, practical risk-based guidance, and desired outcomes for an holistic approach to governing information security for third parties. An approach that scales from startups determined to begin with good security practice, to corporates who decide it’s high time to backfill required control.
The plan is to twin these slides (geared to a non-specialist audience) with words to demonstrate the depth and strength hidden behind apparent simplicity.
The Business Case Underlined
Timing to share is fortuitously linked to this article by James Christiansen, Vice President of information risk management at Optiv. Below is an excerpt, but overall this excellent piece represents a reality I have been passionately championing with businesses and peers for a number of years.
“Third-party risk management is not just an IT function. CSOs who “own” risk management must elevate their sights beyond their department to understand the full scope of their new role. The increasing investment in mission-critical applications by departments outside of IT—so-called shadow IT—is making the problem worse. If you don’t know about it, you can’t manage it.
Of the…thousands of vendors, partners, and contractors an organization works with, only a small percentage are within IT. There are, in fact, many others—HVAC suppliers, custodial, electricians, maintenance, and so on—that all have to be accounted for. We know too well how devastating it can be to overlook seemingly innocuous vendors.
…CSOs need to meet the challenge of third-party risk management head on. It’s time to execute on a larger risk strategy: managing the risk posture for your organization. This job is bigger than any single department—for any single company, in fact. Security and risk professionals across all industries must unite, accept standardized security assessment reports, and create innovative solutions to address the growing threat of vendor risk”
I couldn’t feasibly agree more.