Friday, October 9, 2015

3 Risks of Third Party Risk Management

(This article originally appeared on my LinkeIn Profile.)
After roughly five years of working in Financial and Credit Services in Information Security and Third Party Risk Management I decided to take a risk of my own and dive into Health Care. It was really more of a back flip as I was only vaguely familiar with Health Care regulations.

The Health Care industry has exploded with opportunity for individuals with a background in Information Security and Risk Management, particularly for those focused on  Third Party Risk Management. Once I started my job search it didn't take long, I only interviewed with one company before accepting a new position. Still, barely a day goes by that I don't receive inquiries from recruiters or colleagues seeking qualified candidates.
Everyone warned that Health Care's Third Party Risk Management was at least 10 years behind Financial Services . That may be true in some instances, but I've been pleased to find it's not always the case. I've found robust security programs across a variety of Health Care organizations, and even though Financial Services is generally the leader, I've seen many inefficient programs in very large financial institutions. Those inefficiencies amount to considerable waste of resources and valuable time.
Rather than spend all day discussing all the things people do wrong I'll just focus on three key mistakes that inhibit program success regardless of your industry. Coincidentally they all relate to maximizing the time spent on analyzing risk.
1. Scope Confusion, or not knowing what your vendor actually does for your organization, can start your risk assessment on the wrong path, frustrate your vendor and your business partners, and ultimately lead to wasted time and missed deliverable. The best way to kick off your risk assessment is by conducting internal interviews with business stakeholders before contacting the vendor. Simply throwing a control questionnaire over the fence to your vendor without proper scoping will lead to confusion. You will appear unqualified for your job when your vendor has to remind you what they do for you and correct the scope of the assessment. I've been the vendor in this scenario, and it was never pleasant.
2. Inconsistency in how you scope and conduct risk assessments and report security findings. Once you have developed a process to effectively scope your risk assessments you need to show consistency in the assessment process. This can be achieved by standardizing the tools you use, such as risk questionnaires, and assessment reports. These should be similar in format and easily modified for each assessment. Of course, no two vendors are the same so there will be differences, but you should not be recreating the risk assessment process for each vendor. Focus on scoping rather than customization. There are some organizations that provide standardized tools and assessment procedures. One of my favorites is Shared Assessments.
3. Duplication of efforts is a prime example of corporate waste and it will only hinder your program efforts. In my experience working with leading financial institutions I was amazed at their lack of internal communication. On more than one occasion I was contacted by separate teams within a single institution on the same day to initiate risk assessments, with essentially the same scope. On each of those occasions the teams had no idea the other was performing an assessment, and in one, didn't know the other even existed. Some organizations are so large that some duplication is impossible to avoid, but this can be mitigated by centralized Third Party Risk Management.

- Dragon's Lair Security |
Also find me on: YouTube | Twitter | LinkedIn

Copyright © Dragon's Lair Security. All rights reserved.

No comments:

Post a Comment