IT risks abound when it comes to risk management, especially when outside vendors get thrown into the mix.
The Strategic Sourceror has identified three trends in terms of IT vendor security: integrating new tech too quickly, issues with prioritizing data, and internal threats.
We have addressed internal threats elsewhere, and we acknowledge bulk data processing is an ongoing challenge, but we remain far more concerned about the first issue: integrating new technology. Problems arising with integrating quickly-changing technology and upgrades is a risk management issue we see repeatedly, especially when it comes to vendor management and onboarding new vendors.
A recent report from MAPI, the Manufacturing Alliance, found that “rapid adoption of sensor technology, smart products, and Internet of Things (IoT) strategies” can also rapidly increase the problems of fast adoption, as can “so-called industry 4.0 digital manufacturing opportunities and increased interconnectivity of the industrial ecosystem, offering bad guys a wider target to hack.”
A McKinsey and Company report estimates that IoT’s international economic impact will hit $11 trillion by 2025.
“Nearly 70 percent of the projected economic value will eventually come from the use of sensor technology and swarm intelligence among B2B users,” McKinsey notes.
Whether it’s employees tapping into their personal technology while onsite, or vendors who are increasingly relying on smart systems to bring their services to market, the fast-changing nature of these types of technology realms can also mean the ability to keep track of all potential security risks requires added levels of attention to detail.
Are vendors applying change management best practices, along with risk management best practices, from every overseas fiber-optic connection to every sensor on a package that crosses as ocean? Are they doing so with every systematic software upgrade or shift in service provider?
Annual reviews don’t cut it anymore, not when changes and additions to networks can increase weekly.
“Products, services and suppliers undergo near constant change,” notes our white paper, “The Case for the Vendor Management Office.” “Products are updated, services change with contract modifications and key members of vendor corporations turnover.”
But that’s just one part of the risk management challenge when it comes to vendors.
“As vendors make deals with their suppliers or undergo mergers, acquisitions and divestitures, the risk profile they bring to your agency changes,” the paper notes.
We’ve found that creating a Vendor Management Office (VMO) to serve as a traffic cop for vetting and managing outside vendors can go a long way in mitigating this risk. A dedicated office can not only vet potential vendors, but keep a close eye on their changes through continuous monitoring, and keep active lines of communication open.
A VMO can vet vendor applications, with a focus on the risk side of supply change management, as well as monitoring any changes with current vendors at every stage of the process. This takes the pressure off the Chief Information Security Officer (CISO), Chief Risk Officer (CRO) or other C-suite offices, and places it in the hands of experts who understand the challenges and can vet, track, update and manage these convoluted systems, as well as their myriad system changes.