Equifax and the Vendor Risk Management Quandary

Let me start with a simple caveat: this will not be another blog or rant that seeks to bash Equifax, their executives, or their security team. I believe there is a certain degree of professional courtesy that people should be afforded in our industry and that includes not lambasting them in times of crisis.

Instead, I was thinking about this situation in the context of vendor risk management. The focus on managing risk associated with vendors or 3rd/4th parties continues to grow, as do the number of vendors who will offer you a “solution” to manage this risk.

As Senior Director of Security at Cylance, I wear both hats in this field: I am accountable to our teams and our customers inquiries about our company’s security policies as they manage their vendor risk. Likewise, I also own the processes by which Cylance assesses risk posed by our vendors, and a timely call from a sales person from a vendor risk management company painted the current Equifax incident in a new light for me.

As I consider the different vendor risk management solutions available in the marketplace, they all seem to offer some combination of the following:

  • Management and execution of an assessment questionnaire of your design for your organization
  • Creation and execution of their own assessment methodology
  • Factoring Open Source Intelligence about the company into the assessment
  • Conducting scans of the vendor’s Internet presence
  • Delivering a score resulting from the assessment process
  • Delivering a portfolio of pre-existing assessments that can be accessed for vendors already in their system
  • Management of the portfolio of risk that is associated with your vendors

I am left wondering how each of these processes would actually have fared with regard to the Equifax situation. As recently attested to by Equifax’s former CEO, the breach was (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Steve Mancini. Read the original post at: Cylance Blog