Equifax and the Vendor Risk Management Quandary

Let me start with a simple caveat: this will not be another blog or rant that seeks to bash Equifax, their executives, or their security team. I believe there is a certain degree of professional courtesy that people should be afforded in our industry and that includes not lambasting them in times of crisis.

Instead, I was thinking about this situation in the context of vendor risk management. The focus on managing risk associated with vendors or 3rd/4th parties continues to grow, as do the number of vendors who will offer you a “solution” to manage this risk.

As Senior Director of Security at Cylance, I wear both hats in this field: I am accountable to our teams and our customers inquiries about our company’s security policies as they manage their vendor risk. Likewise, I also own the processes by which Cylance assesses risk posed by our vendors, and a timely call from a sales person from a vendor risk management company painted the current Equifax incident in a new light for me.

As I consider the different vendor risk management solutions available in the marketplace, they all seem to offer some combination of the following:

  • Management and execution of an assessment questionnaire of your design for your organization
  • Creation and execution of their own assessment methodology
  • Factoring Open Source Intelligence about the company into the assessment
  • Conducting scans of the vendor’s Internet presence
  • Delivering a score resulting from the assessment process
  • Delivering a portfolio of pre-existing assessments that can be accessed for vendors already in their system
  • Management of the portfolio of risk that is associated with your vendors

I am left wondering how each of these processes would actually have fared with regard to the Equifax situation. As recently attested to by Equifax’s former CEO, the breach was (Read more...)

*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by Steve Mancini. Read the original post at: https://threatmatrix.cylance.com/en_us/home/equifax-and-the-vendor-risk-management-quandary.html