During a client engagement, I listened to two experienced information security risk professionals lament about the results of a recent vendor risk assessment survey. The results indicated several “High Risk” vendors that needed attention. However, they couldn’t distinguish which “High Risk” vendors posed the most pressing or biggest threats to the company.
Instead, they bemoaned the toil of sifting through the results, laughed (which is a better alternative to crying) about balancing the unending amount of work and limited time, then proceeded to have the same discussion in relation to a business manager who didn’t understand why the new application he requested was considered a “High Risk” …
Just listening, I was vicariously frustrated about the limited view that compliance checklists provide of risk.
A compliance checklist approach to assessment of vendor risk or any risk can give the impression that anything labeled “High Risk” poses comparable risk for a company.
This is problematic because checklists are just lists of practices, not tools for assessing risk based on a model of the factors that actually create risk. At RiskLens, we use the FAIR model that factors in the frequency and magnitude of loss to express risk in dollar terms.
A one-dimensional (i.e. yes/no compliance checklist) approach to risk assessment can produce:
In short, conflating a compliance checklist with a risk assessment can have disastrous ramifications; the negative effects can include the failure to identify which vendors truly pose the largest risk to your organization and the inability to effectively prioritize which are mission critical and thus warrant additional scrutiny.
See illustration below for a simplistic comparison of the two vendor assessments and their corresponding outputs.
The FAIR model provides a risk-based approach that systematically prompts an analyst to consider simple questions, such as:
The RiskLens platform, based on the FAIR model, can be leveraged as a means of evaluating information security risks—e.g. entrusting vendors with sensitive data—and estimating the associated Annualized Loss Exposure (ALE), i.e. risk, of each. Providing an ALE will enable decision makers to differentiate “High Risks” by the monetary liability associated with each and act accordingly.
Compliance checklists have their place in performing due diligence on your vendors but adding a risk-based approach can open the door to increased visibility and provide actionable results to enable effective decision making.