Let me start with a simple caveat: this will not be another blog or rant that seeks to bash Equifax, their executives, or their security team. I believe there is a certain degree of professional courtesy that people should be afforded in our industry and that includes not lambasting them in times of crisis.
Instead, I was thinking about this situation in the context of vendor risk management. The focus on managing risk associated with vendors or 3rd/4th parties continues to grow, as do the number of vendors who will offer you a “solution” to manage this risk.
As Senior Director of Security at Cylance, I wear both hats in this field: I am accountable to our teams and our customers inquiries about our company’s security policies as they manage their vendor risk. Likewise, I also own the processes by which Cylance assesses risk posed by our vendors, and a timely call from a sales person from a vendor risk management company painted the current Equifax incident in a new light for me.
As I consider the different vendor risk management solutions available in the marketplace, they all seem to offer some combination of the following:
- Management and execution of an assessment questionnaire of your design for your organization
- Creation and execution of their own assessment methodology
- Factoring Open Source Intelligence about the company into the assessment
- Conducting scans of the vendor’s Internet presence
- Delivering a score resulting from the assessment process
- Delivering a portfolio of pre-existing assessments that can be accessed for vendors already in their system
- Management of the portfolio of risk that is associated with your vendors
I am left wondering how each of these processes would actually have fared with regard to the Equifax situation. As recently attested to by Equifax’s former CEO, the breach was (Read more...)
*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by Steve Mancini. Read the original post at: https://threatmatrix.cylance.com/en_us/home/equifax-and-the-vendor-risk-management-quandary.html