Vendor management is at its heart a means of accounting for and controlling third-party (and even fourth-party) risks to your organization. I’ll be using the shorthand TPRM for third-party risk management throughout this article. Third-party risk has become a very important topic as it goes to the core of many data breaches out there. Dating back to 2014, Target suffered a massive data breach because an HVAC vendor didn’t have their security program together. More recently, Okta’s breaches this year affected their customers and severely hurt their reputation.

Starting a TPRM Program

Step zero for setting up a TPRM program is to do a risk assessment of your own organization. Focus in on what are your company’s valuable assets worth protecting. For a healthcare company it might be access to patient records, for a financial company it could be access to the money itself, for an R&D firm it could be access to the research pipeline, etc. All of this feeds into what matters most to you and how you can grade your potential vendors based on risk and what risk mitigation controls would be necessary to onboard particular vendors.

The next step in starting up this program is obviously to gather an accurate list of just who your vendors are. It seems like this might be as easy as going to accounting and asking who is sending you invoices, but it most definitely is not. Sometimes personnel will sign up for services on their own (referred to as shadow IT) and completely bypass the accounts payable department. For these you can use tools like Nudge or BetterCloud to discover SaaS tools you don’t know your coworkers are using. A side benefit to those discovery tools is that they can save you money by showing you which tools are over licensed because fewer people than you thought use them.

Throughout this process, be sure to involve all possible stakeholders. Use something like the DACI or RACI frameworks to identify who needs to be involved in vendor management. It can go well beyond security and finance depending on your company. Many companies involve legal to ensure the company is sufficiently protected, some involve a compliance team to do OFAC checks on vendors, and others might involve a technical team if the vendor requires some sort of implementation. Whoever you involve, make sure that the process is transparent and fair. An easy way to sabotage good will towards your nascent program is to appear to play favorites for approving vendors.

How do you measure the risk?

You cannot properly address vendor risk without first measuring it. Some metrics are common across all companies, but many metrics and questions will be particular to your company and your industry. The easiest way to evaluate the risk of a vendor is by reviewing their certified audit reports against frameworks like SOC2, ISO27001, PCI-DSS, and others. While these frameworks are by no means a guarantee that the vendor is low risk, it can give you some assurance that the vendor understands the gravity of information security risk and give you the assurance that an independent body reviewed their controls.

Another side of third-party risk involves how you intend to use the vendor. Imagine a vendor like DropBox. If you are only using them to store marketing materials, their risk is low. However, if you were to store millions of documents containing sensitive customer data there (note: please don’t do that, there are better ways), that same vendor grows into a much larger risk. It is important to ask the person requesting the vendor how they intend to use the vendor now and in the future. Ask questions like:

• What data will be stored with that vendor? How much of that data do you expect to store there over the next few years?

• If this vendor were to have an outage, how would it impact the organization? How long of an outage could we withstand and how much of our data could they lose?

• Are there alternatives we could use? Are there existing vendors who could fill the same need?

• Do they have a reputation for resiliency and security? Are they willing to share their policies for continuity and the test results proving their capabilities?

• Who in the company will have access to this vendor and what level of access will they have?

These questions are just the start of a long list of questions you could ask about each potential vendor. Be careful to not bombard each requestor with a million questions though, that is not a good way to win allies for your new program. Instead, first ask for the implementation and usage documents for the vendor (usually in the form of some project documents) and see if the answers to your questions are in there. If they aren’t, use this as an opportunity to work with the requestor to write more thorough project documents.

You can supplement the information you are getting with tools like SecurityScorecard to automatically gather risk related data. Take the output from these tools with a grain of salt though. The information provided may not be 100% accurate due to their automated nature and other information may be irrelevant to your evaluation. For example, the tool may identify issues with encryption on a company’s website but if that encryption is just on a company’s marketing page that might not be an issue. Use tools like these as a bellwether to highlight a collection of risks as a larger problem.

All these risk calculations should feed into a risk tier system for your vendors. These risk tiers can help to short circuit some of the assessment steps. If the vendor is something as simple as a conference room your renting, you can put them in a low-risk tier and skip many of the steps. On the other end though, you need to have gating requirements that won’t let a vendor go below a certain tier. For example, if the loss of service for your infrastructure provider would devastate your business, then they should be in the highest risk tier you have. These tiers also feed in how often you need to re-evaluate each vendor.

Fourth-Party Risk

Over the last few years, it has become increasingly apparent that vendor risks go well beyond the companies you have a contract with. To pick on Okta again, their breach in January was due to one of their vendors. This ended up negatively affecting 366 Okta customers. Every company in the modern age is really an agglomeration of vendors. Its turtles all the way down. Managing this risk is difficult for anyone who isn’t a Fortune 500 company because companies are reluctant to share who their vendors are. Adding fourth-party risk to your vendor management program can be a daunting task so it is easiest to just look at your riskiest and most critical third parties. Out of those third parties, look at how their most critical vendors are. You may even find out that some of their vendors are also your own vendors making the whole process much easier.

When evaluating your own vendors, prioritize those who are transparent about fourth-party risk. Vendors with good risk and security programs should have nothing to hide. If they show reluctance to hand over copies, work to find a potential compromise like audit reports showing that an independent body has evaluated their third-party risk program. You could also do a teleconference with your vendor so they can show you their processes and data without handing over actual copies of anything.

Continuous Monitoring

Just like everything else in information security, third-party risks are never static. Everything about a vendor can change rapidly from how your organization uses the vendor to how their product evolves to how the threat landscape evolves around you. It is crucial that you re-evaluate your vendors regularly based of their risk tier. The frequency of these evaluations depends on your organization’s risk appetite, but I suggest no less frequent than annually for your riskiest vendors and no less than every two years for any ongoing vendor relationship. Think about how much your organization has evolved in the last two years and how your risk appetite has also changed, that same level of change is also likely to occur at your vendors.

While it is good to periodically re-evaluate your vendors, there is still a large risk of something changing for the worse between those reviews. Obviously no one has the resources to continuously look for issues with your vendors so this is where we have to turn to services. Service providers like SecurityScorecard can look for changes in the external profile of your vendors and proactively alert you so you can dig into it more. There are also services like Cybelangel who can scan dark web forums and repositories for issues and alert you. The easiest and cheapest way I’ve found though is to join special interest groups and network with those people to hear good analyses of the latest security news. Your industry’s ISAC could fill this role or services like Cybersecurity Collaborative or IANS could as well.

Marketing Your Company

But the same way you evaluate your vendors can be turned around and used to present your hard work in security as a selling point for your company. Think about all the questions you are asking of your vendors and see if you have the same answers for your prospective clients. Is there a way to proactively answer those questions without disclosing confidential information? You should also look for tools to give your sales and marketing teams for referencing this information. The faster they can get this data in front of prospects, the stronger your company will look. The need for this is more amplified in regulated spaces like healthcare and finance. You can show your sales prospects that they can save time and energy when doing their initial and ongoing due diligence efforts.

Parting Ways

No vendor relationship is going to last forever, so it is best to plan how you intend to off-board that vendor before the time comes. This may not be necessary for very low risk vendors but is a must for your high-risk ones. Failure to manage this process could result in vendors having access to your systems well after the contract ends. I’ve seen companies outsource their IT functions only to have to spend years unwinding the hooks they had into their systems. Had those companies planned ahead, the roll off could have been much smoother.

To make this process easier, document more when you are evaluating the vendor and save all the project documents used during implementation. Ask yourself questions like these and see if they are documented, or better yet ask them during a re-evaluation and see if you can find the answers without difficulty:

• What access does the vendor have? Be specific and note what environments they are in and what physical or virtual resources they can access.

• What systems depend on this vendor? Modern infrastructure is a complex web of dependencies, pulling out this vendor may have unknown consequences down the line if not properly documented.

• What is the time period needed for cancellation? Many contracts stipulate that you must let the vendor know 60 or 90 days in advance that you’re canceling.

• Who are the stakeholders for this vendor in your organization?

• Are there any bilateral agreements that need to be handled carefully?

Think through these questions and what you might add that could be specific to your organization and what questions could apply to different risk tiers in your vendor management program.

Written in collaboration with Lauren Hasson, founder of DevelopHer.

The pandemic threw a spotlight on the benefits of having a remote-first or remote-friendly workplace, but managers often had no guidance for how to work with a dispersed team. It is important to enable remote-friendly workplaces because it can expand your talent pool and give your employees better job satisfaction through flexibility to work in ways that are tailored to them.

Remote work can be a great equalizer for all sorts of employees. Those with disabilities both visible and invisible get a chance to have equal footing with their peers because they are judged more for their work output and not how they present themselves in the office. They also have the chance to build a workspace that suits their needs. It can also help employees who care for someone else whether it is children or other family members with needs. So many of these groups have felt excluded from traditional workspaces, but they have a wealth of knowledge and abilities ready to be tapped.

Sean has been managing remote teams for around seven years (long before the pandemic) and Lauren has done the same for nearly ten years. We have found a few ways to help your chances of success in building a remote-friendly team.

Communicate Often with Clarity

In an office, it is easy to bump into a teammate and get a brief update on what they are working on. Remote work obviously doesn’t afford you the same opportunities as easily. Remember that over-communication is better than under-communication. You need to be deliberate about checking in with your teammates to quickly course correct if necessary. This doesn’t have to take the form of daily meetings. I’ve had success with asking people to update work tickets a few times a week with their progress. The manager can then review those notes at their own pace. In doing this, be careful to not come across as micromanaging your employees. They’re adults, not high school students.

Clarity in goals, milestones, and responsibilities is vital for a remote team to function well. Work with your project managers to utilize all the tools at your disposal for planning out what your teammates will be working on. Whether it is you as the manager writing out the requirements or the individual contributor writing the same, it needs to be clear. You won’t have as much of a chance for random interactions to ask and answer questions about the work as you would in an office.

Timely and tailored feedback will make a world of difference to a remote-first team. Keep in mind that not everyone is going to have the same communication style, so you’ll need to work closely with your teammates to understand their preferred methods. Some people may prefer ad hoc communication over something like Slack versus others who prefer a more structured manner in ticketing platforms like JIRA. If one of your teammates seems to be frustrated with you often, ask them if they prefer a different means of receiving feedback and updates. And whatever you do, be empathetic. Understand that there is a human on the other end and understand how your message will be received. Remember that as a manager, you are a source of authority who can unintentionally provoke anxiety in your teammates.

Social Cohesion

Cultivating a remote culture has to be intentional. The social cohesion and culture that naturally occurs in an office doesn’t happen in a remote-first environment. It is even harder in a hybrid situation where those who are remote can feel excluded from the activities and social scene in an office. This can be better achieved by having those in-office intentionally include their remote teammates. Be sure to memorialize all in-office conversations for the remote folks.

Going out for a monthly team lunch isn’t an option for a geographically dispersed team, but virtual lunches are. It can be a bit awkward for a team who crosses time zones, but it is still doable. It can also help people with dietary restrictions feel included in group activities. Anyone with food allergies can just order from their favorite local restaurant whatever suits their needs. Use these team lunches to let your team talk about fun things they are doing outside of work. I have one person on my team who loves to talk about his radio frequency projects and it is something that is interesting to almost everyone in the group. Another member of my team can always entertain the group talking about her work in fire spinning (look it up, it is quite amazing). All of this goes to show that you can have social interactions in a remote team, you need to be intentional about it.

Celebrating your team’s successes needs to be intentional and common for a remote team. It is easy for remote employees to lose sight of the progress they have made. As a manager, you need to remind everyone on the team of their achievements. This does not need to be an overwrought display; it can be as simple as calling out someone’s success in a team meeting or expressing your gratitude in whatever messaging platform your team uses. The achievements don’t just have to be professional either. You can celebrate your team’s personal successes. I have a teammate who trains dogs for national shows and we celebrate her wins in our team channels.

Make it Personal

Just like everything else about managing a remote team, you must be intentional about getting to know your team. We have found it fun to introduce ice breaker questions to your team meetings. These ice breakers are a great way over time to get to know who you are working with. You can ask questions like:

• Where would you go on your dream vacation?

• What is your favorite food?

• If you were reborn as an animal, what would it be?

Solicit questions from your team. It will help them feel included in the team building process and create a sense of investment in the success of your remote-first culture.

One huge benefit to the quarantine we all went through is that it spurred creators to setup virtual experiences. AirBnb is a great resource for online experiences you can book for your team. My team has done virtual safari tours, a cooking class hosted by an Italian nona (live from Italy), walking tours of Venice, and more. They offer a breadth of experiences you might never have in person. Best of all, they’re cheap! You can usually book experiences for a team of 10 for under $300. These experiences will give your team something mutual to talk about for weeks after the event is over.

Your team events also don’t have to be for work related successes. We’ve thrown remote parties for birthdays, baby showers, celebrating personal achievements, etc. Remember that you are working with people who have big life events worth celebrating.

Work-Life Balance

When working from home, the lines between personal and work lives become blurred. Burnout can easily creep up if employees are checking messages at all hours of the day and night or if they feel they need to respond to every message within minutes regardless of the time of day. Encourage your teammates to sign off at the end of the day and mute their work notifications. If you see them answer emails and other messages after hours, remind them that the work will still be there tomorrow. Modern devices and messaging platforms all have the ability to schedule do-not-disturb hours and your team should be using them. There’s a time and place for working extended hours, but that can’t be a constant state.

A great benefit to working remotely is that people can have better familial connections. If a parent needs to take a small break to go pick up their kid from school, let them. If a teammate needs to take an hour for a doctor appointment, let them. These are great opportunities to show your teammates that you see them as people and not just workers.

At its heart, information security is the art of ameliorating risks to the information assets of an organization. Just like other functions of every organization, information security risks can never be fully mitigated while still keeping everything functioning. That means one must have the ability to assess the risks and prioritize them.

What is an information security risk?

Risks are simply the calculation of the likelihood of a threat or vulnerability being exploited and the adverse impact such an exploitation would have on the business. These threats and vulnerabilities do not need to be tied to any technical weaknesses, they could be threats against the company’s reputation, the safety of its personnel or customers, the ability to achieve company goals, etc. But for the purposes of this article, we’ll focus on technical risks to information since those are more straightforward to demonstrate and is where my expertise lies.

Every organization is different and therefore has a different risk profile. The best place to start is by identifying the critical assets and processes. You should also look at past incidents that occurred at your organization and similar organizations. Those past incidents can illuminate vulnerabilities which could lead to threats against your critical assets. A recent Microsoft breach is a scary example showing how layered vulnerabilities and lower priority systems can lead to a critical breach. Risk assessments cannot ignore these seemingly innocuous issues.

Once an organization has identified the critical assets to protect, you need to identify the threats against those assets. Threats can be internal or external and purposeful or accidental. Someone within the organization accidentally posting a sensitive file to the wrong data store is still a risk even if it is both internal and accidental.

For nearly all risks, the organization should do a root cause analysis (RCA) to ensure the strategy for dealing with it addresses the right issues. There are several RCA methodologies to choose from:

• Five Whys - this is an informal, interrogative method. You ask why a problem has occurred and continue asking that why question for each subsequent answer. Eventually you will get to a root cause that needs to be addressed. The main issue with this method is its lack of structure. Without structure, it can be difficult to assess how the whole environment affects that risk.

• Ishikawa Fishbone - this is a more structured approach asking how six different categories affect the cause of an event. Having those predefined categories to assess against along with the visual diagram can help all stakeholders understand the complex nature of your risk.

There are other methodologies but those are the ones I’ve found to be most useful for information security. An RCA can also feed into a corrective and preventative action (CAPA) plan. Not every risk needs something so formal, but for critical risks to the company a CAPA can ensure that the risk doesn’t reappear.

Quantitative vs. Qualitative

There are two ways of measuring risks: qualitative or quantitative. Qualitative is the easiest to approach and can be as simple as t-shirt sizing risks to the organization (small, medium, large, etc.). Quantitative is much more work to achieve but can yield precise results for high priority risks and will help in demonstrating the value of remediation versus acceptance.

The first step in performing a qualitative risk assessment is to determine which framework to use or if you even want to use one at all. There are three major risk management frameworks you can work off of:

• COSO ERM - This is a widely used risk management framework that can be used to manage all types of risk including cybersecurity, financial, and operational risks.

• ISO31000 - This is a family of standards aimed at organizations of all sizes. It treats risk management as an ongoing and integrated process which is tailored to the needs of each organization.

• NIST CSF - This framework is specifically designed to protection information systems. It includes a detailed, seven step process for evaluating, managing, and monitoring risks.

If you are starting fresh at your organization or your organization is very small, I would suggest initially taking an informal route. Once you have a lay of the land you can determine what framework is best for you. If you know your issues are going to be purely technical, you can also do a simple gap assessment against something like CIS to point you in the right direction.

Quantitative risk assessments are complex and time-consuming so should be reserved for only the most critical risks. Look for assets that your organization cannot be without, those are generally the easiest to calculate a quantitative risk for. You need to be able to calculate the probability of exploitation of the risk (usually shown as the likelihood of occurring annually), the value of the affected asset to the organization, and the cost to clean up the incident. One method of doing this is Monte Carlo simulations which generate a set of random samples of outcomes against which you can calculate the risk to the organization.

Prioritizing Risks

Whether you have a subjective or objective rating for your risks, you will always have more than you can mitigate. It is up to senior leadership to set the risk tolerance for the organization. That risk tolerance will determine what risks are mitigated, which are accepted, which are transferred, and which are avoided. Before we can assess a risk against the risk tolerance though, we need several key data points: the likelihood of exploitation; the adverse impact to the organization if it were exploited; the cost to mitigate, transfer, or avoid the risk; are there regulatory requirements pertaining to the risk; and what adverse impact to the organization’s reputation would the exploit have.

It can be easy for an organization to ignore risks with a low likelihood of exploitation, but it is possible that the reputation hit for it happening could push the organization to remediate. You also don’t have to fully remediate every risk. With most threats there are ways of bringing the risk down to a tolerable level. For example, passwords are going away in favor of other authentication methods to prevent account takeover attacks. Those other authentication methods do not fully prevent account takeover attacks, but they can (if implemented properly) lower the risk to a level the organization can tolerate. Going one layer deeper, it is important to take into account what the organization is protecting with each account to determine the necessary level of authentication security (an email account will need less security than access to a database with credit card data, etc.).

Continual Assessments

The risk assessment process really never ends. An organization’s risk profile will evolve over time through means such as:

• Changes in the technology powering the organization,

• Outside threat groups finding new ways to exploit existing technology,

• Changes in regulatory or contractual obligations, or

• New priorities pushing the organization to reassess its risk tolerances.

The best way to react to changes like those is to have monitoring controls in place. For example, changes in outside threat groups can be watched by joining relevant interest groups such as your industry’s ISAC or monitoring changes in technology can be done by integrating the risk process into the technology delivery processes.

That last point is crucial to having a health risk management program. You need to integrate risk management into all processes in your organization. Teach all members of your organization how to think about the work they are doing through a risk lens. We all can have an impact on the risk profile of our organizations.