Supplier and vendor risk management has become a regular boardroom discussion point over the last 12 months following a string of high-profile supply chain attacks. An important element of the supply chain is software vendors, so IT teams have been looking to refine and improve their approach to mitigating risk in this area. We all want to have fruitful relationships with our software vendors, but how do we maintain these partnerships whilst doing our due diligence to ensure they aren’t exposing your organization to an unreasonable level of vulnerability?
In this piece, I’ll explain how to achieve a middle ground between harshly vilifying a vendor due to supply chain security, versus the potential problems that could arise from not scrutinizing them enough. I believe there are several ways security teams can build trusted, collaborative relationships with vendors which will benefit both partners in the long term. Here’s how:
Stop ignoring data
Despite IT teams being surrounded by data, there is an underlying issue that organizations are not using it to effectively make decisions regarding the use of third-party software or to understand risks related to the supply chain.
For example, when organizations evaluate their suppliers’ security posture for any vulnerabilities that may also impact them, they often consider Extended Enterprise Risk Management (EERM) or Third-Party Risk Management (TPRM). Although these are sensible steps to take, they often don’t utilize data as much as they potentially could so there remains a lack of maturity around how data is used in IT risk management. For too long, software has been accepted into non-production and production environments without using data to make appropriate judgments on risk, beyond basic security or User Acceptance Testing.
I will explore the dangers in neglecting data in this process and how businesses can take steps towards change to build and better utilize their software vendor relationships.
Don’t confuse issues with risks
When it comes to supply chain security, many organizations confuse ‘issues’ with ‘risks’ – often focusing on less important ‘risks’ for emotional reasons, rather than using data to inform their thinking.
We define issues as compromised software, software supply or tool chains – actual issues that teams are having to deal with. Sadly, organizations are often lacking the platform or data to help them quickly manage these issues.
As you might expect, risk refers to the chance of something happening rather than an existing problem. My colleague and Tanium’s CISO, Chris Hodson, has written a book on this, but in a nutshell:
Risk = Impact x Likelihood
It’s important to look at the bigger picture when assessing risks and consider the impact and likelihood of these when it comes to software vendors:
- Which vendors are most critical to my operations?
- Where are vendors in my environment (installed software)?
- Who has access to what parts of my environment (3rd party user access)?
- When has risk and security been considered (proactive DevSecOps vs manual stage gates)?
- What am I rationally worried about vs emotionally worried about?
- What data do I have to help me answer these questions?
Take time to fully assess risk from the start
Unfortunately, it’s rare that organizations have answers to all the above questions when they begin working with a supplier – or that the questions are even asked in the first place.
IT teams are often so focused on rolling out the latest big initiative, such as Zero Trust architectures for user access or leveraging cloud platforms to drive digital engagement, for example, that they don’t take the time to properly assess vendor risk.
Instead, they often misplace a huge amount of trust in software vendors. This trust is often based on brand reputation – i.e. “they have never been breached” or “they tell me they spend billions on security, so they must be secure”.
IT teams instead need to ask themselves questions such as: do I really know how well our suppliers manage their operations; including areas like patching? How can we tell how much technical debt they are carrying? Is the vendor that was breached three years ago (and then invested a massive amount improving their maturity) less of a risk than a vendor that’s never had a publicly disclosed breach?
Get your key vendor principles in order
Once these questions have been answered – using data – and a new vendor relationship has begun, businesses on both sides of the fence should work together to set the foundations for a productive relationship.
Whilst this is not definitive, here are some principles I have seen work well as part of a healthy vendor relationship:
- Seek to build strategic, long-term relationships
- Collaborate for best results
- Be open to learning and (appropriate) knowledge sharing
- Empathise and seek to understand the other side and what is driving their behavior
- Work with the best, not just the cheapest – and collaborate with procurement to do so
- Be appropriate ‘commercially savvy’
- Trust, but verify (check for red flags)
When working with a vendor, it’s all about balance: sharing too little doesn’t help to build a shared understanding, whereas over-sharing can breach confidentiality or NDAs. To build healthy vendor relationships, it can be useful for IT teams to have a basic understanding of negotiation tactics. This can help them to see ‘the other side of the equation’ when having conversations with suppliers, which then allows them to find solutions that are mutually beneficial for all parties.
Ultimately, organizations need to quickly re-evaluate how they analyze vendor risks. They should use data to protect themselves against future supply chain issues. In a world where high-profile supplier breaches have pushed the topic of supplier risk management high up the boardroom priority list, this has never been more important.
Oliver Cronk is the Chief IT Architect, EMEA, Tanium