In Vendor Risk Assessment, All “High Risks” Are Not Created Equal

April 17, 2019  Teresa Suarez

During a client engagement, I listened to two experienced information security risk professionals lament about the results of a recent vendor risk assessment survey. The results indicated several “High Risk” vendors that needed attention. However, they couldn’t distinguish which “High Risk” vendors posed the most pressing or biggest threats to the company. Instead, they bemoaned the toil of sifting through the results, laughed (which is a better alternative to crying) about balancing the unending amount of work and limited time, then proceeded to have the same discussion in relation to a business manager who didn’t understand why the new application he requested was considered a “High Risk” … Just listening, I was vicariously frustrated about the limited view that compliance checklists provide of risk. A compliance checklist approach to assessment of vendor risk or any risk can give the impression that anything labeled “High Risk” poses comparable risk for a company. This is problematic because checklists are just lists of practices, not tools for assessing risk based on a model of the factors that actually create risk. At RiskLens, we use the FAIR model that factors in the frequency and magnitude of loss to express risk in dollar terms. A one-dimensional (i.e. yes/no compliance checklist) approach to risk assessment can produce:
  • Indistinguishable “High Risks” (or “Medium” and “Low” categories for that matter)
  • A good deal of uncertainty
  • The Boy-Who-Cried-Wolf effect (because how many times can you cry some vendor, new application, etc. is “High Risk” before business managers become inured to such labels?)
In short, conflating a compliance checklist with a risk assessment can have disastrous ramifications; the negative effects can include the failure to identify which vendors truly pose the largest risk to your organization and the inability to effectively prioritize which are mission critical and thus warrant additional scrutiny. See illustration below for a simplistic comparison of the two vendor assessments and their corresponding outputs. The FAIR model provides a risk-based approach that systematically prompts an analyst to consider simple questions, such as:
  • “How often” does xyz bad thing happen?
  • “What controls are in place to prevent them from happening?”
  • “How much” would it cost?  Often a function of “How many” records—e.g. PCI/PII/PHI etc.—will be affected?
The RiskLens platform, based on the FAIR model, can be leveraged as a means of evaluating information security risks—e.g. entrusting vendors with sensitive data—and estimating the associated Annualized Loss Exposure (ALE), i.e. risk, of each. Providing an ALE will enable decision makers to differentiate “High Risks” by the monetary liability associated with each and act accordingly. Compliance checklists have their place in performing due diligence on your vendors but adding a risk-based approach can open the door to increased visibility and provide actionable results to enable effective decision making. Related: The Inherent Problems of Vendor Risk Assessment Without a Model Adding Dollars and Cents to Your NIST CSF Reporting