Traditionally, IT staff have dealt with regulatory organizations that police their respective industries, whether federal agencies or professional associations.
Healthcare firms must achieve HIPAA HITECH compliance, or run afoul of the Department of Health and Human Services. Retailers must meet the PCI DSS standards as set by a professional association of the major card vendors for handling payment card information. And these regulatory requirements flow through the supply chain. Medical transcriptionists and remote diagnostics labs working for hospitals are bound by HIPAA; retail suppliers and manufacturers may face PCI controls if they handle cardholder data.
The growth of cybercrime as a serious business risk, however, has led to the emergence of a new kind of compliance enforcer: the vendor risk management departments of large organizations.
Cybercriminals often target large organizations through their third-party contractors, which has led to major breaches such as the one that occurred with Target and its HVAC vendor. Now, large enterprises are finally responding to this problem.
Securing Data up and down the Supply Chain
Since no business is a vacuum, many businesses regularly partner with much larger organizations throughout their industry and its supply chain. These partnerships require both parties to share sensitive digital information, which inherently increases security risk. Therefore, businesses need to implement strategies to mitigate that risk. That’s why vendor risk management programs continue to gain traction.
These programs are often instituted by an enterprise’s internal team, which develops a set of cybersecurity requirements that it mandates its partners follow. This means that companies wishing to work with the organization must willingly submit to an audit by the organization’s risk management team. Failure to do so or an inability to pass the audit results in a firm losing out on the contract.
Some requirements imposed by vendor risk management teams are basic: passwords and patching. Some, however, are harder to achieve: 24×7 monitoring, log access and retention. Yet, such sophisticated requirements are already found in standard 3rd-party audit frameworks, such as NIST Common Security Framework or ISO 270001 (A.12.4).
An Added Security Challenge for Small Enterprises
These added requirements bring an entirely new compliance challenge to businesses if they want to grow by partnering with leading organizations. In order to be certified as a legitimate vendor, their IT staff now has to jump through a whole new set of hoops, which can be costly both in terms of budget and time. Complying with vendor risk management programs represents a heavy new burden on IT for three specific reasons:
- Vendor risk management teams are a brand new “regulator”
- Even a small organization can face many overlapping or contradictory regulations
- It’s impossible to prepare for these requirements until a partnership is underway
Since each enterprise has its own specific requirements, it makes vendor risk management compliance uniquely challenging for smaller organizations. With federal and industry regulations, the same requirements apply to any and all organizations. And the regulations are transparent, so companies know exactly what preparation is needed to satisfy them, including what new security products and services to adopt. That’s not the case for corporate vendor risk management practices.
While many programs have similar requirements around universally-accepted commonsense cybersecurity policies, there are always differences between them. Each bank, each Fortune 500 enterprise, has its own vendor risk management team with its own requirements, expectations and policies.
Unfortunately, unlike federal and industry regulations, these vendor management teams do not publicize their requirements. That makes it especially tricky for organizations with IT teams that lack security expertise and the more advanced security technologies that large enterprises enjoy.
Managed Detection and Response as the Solution
Although the stringent security demands of these corporations can be quite a challenge, it’s possible for smaller organizations to still meet them without ransacking their IT budgets.
Today, many companies are turning to managed security approaches such as managed detection and response (MDR) solutions. MDR services offer key features, like 24×7 monitoring and log management that vendor management teams typically require. And the best MDR vendors provide access to skilled security experts who can help IT teams navigate the minefield of requirements laid down by vendor management teams.
Taking this approach, growing companies not only step up their security posture and better protect their assets, but also enable their organizations to succeed in key partnerships where vendor risk management is a make-or-break proposition.