Governance, Risk & Compliance: GRC
The Power Behind Integrating Vendor Risk, Cybersecurity and Business Resilience
By connecting vendor risk management, cybersecurity and business continuity, an organization can develop the business resilience needed to meet the increasing threats of cyber disruption.
Integrating risk for business resilience makes business sense today. Apple, Meta and Twitter have all been hit by cybersecurity attacks in 2023 and 2022. Don’t think for a moment that your organization is uninteresting to cybercriminals. No business is too small, too unimportant or too irrelevant to be a target. Breaches are posing an ever-growing risk for all businesses. Failure to respond urgently and transparently to a data breach can have dire consequences.
The full financial impact a data breach can have on an organization’s bottom line can be devastating. Aside from expensive technical investigations and regulatory filings, a breach also includes hidden costs such as lost business, negative impact on reputation, and employee time spent on recovery.
An IBM data breach report: for the twelfth year in a row, the United States holds the title for the highest cost of a data breach, USD $9.44 million versus $4.35 million for the global average. In 2022, it took an average of 277 days to identify and contain a breach.
Today, business continuity planning is a key component of an organization’s arsenal to build cyber resilience. But it takes collaborative strategies to mitigate cyberattacks and ensure a fast recovery.
Breaches originating from a third-party vendor can cost organizations hundreds of thousands of dollars per breach. Very few businesses operate independently, opting instead for an outsourcing model where multiple vendors contribute to the process of bringing products and services to market. It’s a great business model that enables organizations to concentrate on their core capabilities, but it can also create a series of security gaps.
Connecting the dots between risk areas for integrated risk management
Corporate lines blur when it comes to cybersecurity matters – with risk management, crisis management, business continuity and disaster recovery often intersecting. Areas such as vendor risk and cybersecurity risk are typically handled in silos, which can create cracks in an organization’s armor. Although it’s difficult for organizations to calibrate all of these different functions, the recent wave of cyber breaches has become a game-changer for risk management. And business continuity planning has captured the attention of boards.
Business continuity management (BCM), which has deep roots in developing plans to keep organizations running during and after natural disasters, crisis situations and pandemics, has grown and developed to cover a wide range of threats to resilience. It is important for organizations to connect the dots between vendor continuity management (VCM), cybersecurity, and business continuity to minimize risk for their customers and business, and to improve their overall resilience.
But why is VCM so important for resilience? Well, vendors provide an “entry point” to processes, technology, products, and services. This opens multiple access points that need to be carefully reviewed and managed. When a consumer uses an organization’s services, they trust that organization to choose partners that will keep their data safe.
Then there are demands from the digital economy. Organizations must contend with real-time, free-flowing information between vendors and other partners that are susceptible to business interruption.
When talking about resilience, it is important to consider reputation. When it comes to a company’s public image, social media can either be their best friend or their worst enemy. Hence, how an organization responds to a vendor incident will determine its reputation as well as impact the potential for fines and legal action.
Customers “vote with their feet” and often stop doing business with a company that’s suffered a breach. Data security is more than just a compliance issue; it is also one of trust and reputation.
Digging deeper to understand the correlation between risk and resilience
An organization can have dozens of vendors that they regularly do business with, however not all of their functions are equal – and not all vendors are critical to an organization’s recovery. To determine which are most critical, a vendor impact assessment (VIA) should be performed first.
Just as BCM encapsulates risk assessments, maps critical processes to people and assets, and conducts business impact assessments (BIA), a VIA extends these practices to third- and fourth-party suppliers, partners, and contractors. If a vendor is not critical to recovery, they may have different standards to adhere to, if any at all.
Rank vendors based on criticality
Some organizations can literally have thousands of vendors. Ranking these vendors into tiers based on criticality to recover saves substantial time and effort by the VCM team. Understanding the impact a vendor has on an organization’s ability to recover is essential and a point rating system provides a clear metric to measure vendor relevance.
When it comes to evaluating a vendor, organizations should focus on two fronts: the maturity and effectiveness of the vendor’s cybersecurity practices and the vendor’s ability to recover from an incident and continue to provide products and services to critical processes.
When assessing vendor risk, information security is at the forefront of the mind of most organizations. For example, an IT-shared services unit may rely on an external vendor for hosting or cloud services. The IT unit requires a cloud vendor available and online for critical applications. This vendor takes precedence as a critical or tier 1 vendor for contingency planning and recovery.
Making cyber resilience a reality
True cyber resilience demands a response that addresses the organization as a whole; half measures will not work. It begins with a deep understanding of the operational landscape, to know which workflows must be preserved so the organization can continue to operate in the event of a cyberattack while safeguarding stakeholders and assets.
This is why silos need to be broken and the dots need to be connected between all of those across the organization and the broader cyber ecosystem.
Many organizations use a web of vendors and third parties to bring products to market, which broadens their exposure to risk with every connection. Considering the potential for vendors and third parties to impact operations, organizations need to do much more to understand the role vendors play in their ability to maintain resiliency becomes obvious.
Integrate risk for business resilience
Through the integration of VCM and BCM programs, organizations can better profile and screen vendors, conduct impact assessments at the product level, determine assessment needs, and maintain historical and auditable assessment records. Such integrated risk management enables risk professionals to better manage vendor products and services, understand their business impacts, determine vendor risk scores, capture contract and SLA details, and access additional visualization and reporting capabilities.
By unifying VCM and BCM data and practices, organizations can manage risk more holistically. This leads to better capital and resource management, reduced costs, improved business performance, and ultimately protects the organizations’ brand and reputation.