This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
Companies today are outsourcing more business processes and data handling to third parties, especially cloud service providers. According to Skyhigh Networks, the average number of SaaS applications in use within enterprise organizations is now up to 923—a 21% increase over 2014.
Each and every one of those service providers presents opportunities for introducing enterprise risk. For example, if data is not properly secured in a cloud service, it increases the chance of a breach.
Many organizations have a regulatory mandate to evaluate their vendors – and even their vendors' vendors, or potential vendors – to understand what risk they bring to the organization. However, the sheer volume and complexity of vendor relationships today makes it challenging to perform thorough vendor risk assessments.
The traditional processes for vendor risk management (VRM) are largely manual and highly inefficient. Auditors often send out vendor assessment questionnaires to their vendors in the form of spreadsheets or documents, and they ask for supporting documentation such as compliance reports, which may get submitted in paper form. And then there's the task of sifting through all these documents to understand the risk positions of the vendors and to set up remediation plans, if necessary.
Imagine doing this for a thousand or more vendors. To make matters worse, many companies are required by policy to assess at least their major vendors annually, or even quarterly. Financial services companies have an added burden. The Office of the Comptroller of the Currency requires banks to effectively manage an assessment process even before they enter into a contract with a vendor. All things considered, vendor risk management is a Sisyphean task, to be sure.
Prevalent Inc. approaches this challenge with a unified vendor risk management and threat intelligence platform that is said to enable the VRM process to scale to tens of thousands of vendors. The Prevalent platform has some interesting capabilities. In fact, Gartner put Prevalent in the Innovative corner of its inaugural IT Vendor Risk Management Magic Quadrant because of functionality such as external threat intelligence, technical monitoring and cloud application discovery.
The first part of the unified platform is a component called Prevalent Vendor Risk Manager (PVRM), software that is primarily hosted by Prevalent in the cloud, although some of Prevalent's largest customers host it internally. PVRM is a platform for automating the assessment process and for collecting relevant vendor risk information in a central location.
An organization's third and fourth party vendors can submit their self-assessments and relevant evidence to a private portal leading to the organization's instance of PRVM. Prevalent's software helps to scope the assessment needed of each vendor based on criteria such as whether the vendor handles data for the organization, and how extensive the relationship is. For example, a vendor that handles credit card payments on the organization's behalf would require a more in-depth assessment than a company that supplies paper and office products.
PVRM has a discovery feature that Prevalent calls Cloud ID. PVRM can take logs from an organization and identify the vendors that are being used from a cloud perspective. This is similar to the discovery capabilities of cloud access security brokers. PVRM discovers the cloud services in use and pushes the respective vendors into the process for threat assessment and monitoring. Prevalent intends to enhance this capability by connecting to other systems the organization might have, such as ERP or accounting systems. Discovery would be automated based on conditions such as vendors that need to get paid. So, for example, if a vendor is in the Accounts Payable system, it should also get put into the vendor risk management system for assessment.
PVRM also evaluates risk across multiple evidence sources and creates risk scoring per vendor against standards that an organization sets. This is an area where Prevalent Vendor Threat Monitor (PVTM) can add additional risk information through a threat intelligence feed. The publicly available information is made relevant to a specific organization based on the context of what a vendor is doing for the organization. This is best explained with an example.
Say a company has a thousand vendors it wants to assess. PVTM can deliver a high level view of what Prevalent is seeing from publically available data sources across different risk areas for all of those vendors; for example, data breach information, IP reputation, financial viability, and other types of operational risks. This data contributes to risk scores for those vendors. The risk score gets specific for that particular company when the context shows, for example, that the vendor has network access or is handling highly sensitive information. So, if the vendor has suffered a data breach in the past and it is handling or intends to handle the organization's data now, the risk score gets elevated in PVRM.
Prevalent says it has customers who use this feature in pre-assessments where they have an RFP with numerous vendors competing and they need viable criteria to whittle the vendor list. Vendor threat scores are one way to consider eliminating or elevating contenders for a contract.
The Prevalent Vendor Threat Monitor application provides continuous threat monitoring. If a vendor experiences something significant that affects its risk posture – for example, the vendor has been the subject of regulatory scrutiny, or had a civil judgment filed against it – that information is quickly reflected in the Prevalent risk score. So even if the vendor isn't due for an in-depth assessment for another year, the company can be alerted to the new risk level right away and determine if a reassessment should be scheduled.
Another interesting aspect of what Prevalent does is tie together a set of vendors in what's called variable scoping. This is particularly relevant for services that are hosted in the cloud, where the software company is one vendor, but the underlying infrastructure company is another. They can be assessed independently or together in a single assessment, and the threat intelligence on each vendor can be brought in. This allows an organization to see the risk level across the entire data chain, not just one piece of it.
All of these services can be performed by Prevalent in a managed service the company calls Vendor Assess. This service includes the unified software platform, the threat intelligence, and a remote assessment that Prevalent helps support on a subscription basis annually.
According to Prevalent, its customers realize a 3x improvement in the number of third party assessments they are able to perform, while also reducing the total cost of operation by 30-50%, inclusive of software and human capital costs.
These metrics are important as the number of vendors used by an enterprise organization grows into the thousands and tens of thousands. It's clear that automation must be used just to manage the complex processes and stay current on relevant risks.