IT Vendor Risk Management: Improving but Still Inadequate

One of the fundamental best practices of cyber supply chain security is IT vendor risk management. When organizations purchase and deploy application software, routers, servers, and storage devices, they are in essence placing their trust in the IT vendors that develop and sell these products. 

Unfortunately, this trust can be misplaced. Some IT vendors (especially startups) focus on feature/functionality rather than security when they develop products resulting in buggy vulnerable products. In other cases, hardware vendors unknowingly build systems using malicious components sourced through their own supply chain. IT products are also often purchased through global networks of third-party distributors that have ample opportunity to turn innocent IT products into malicious confederates for cybercrime.

Recognizing this risk, many organizations have vendor risk management programs in place. In the past, vendor risk management focused on things like vendors’ financial viability and legal exposure but cybersecurity has become another important requirement. To mitigate IT vendor risk, many organizations evaluate their IT vendors’ security processes and products with annual security audits. 

How widespread is this practice? In a recently-published research report, ESG investigated the cyber supply chain security practices of U.S.-based critical infrastructure organizations designated by the Department of Homeland Security (note: I am an ESG employee). The data indicates that:

• 53% of critical infrastructure organizations always audit the security processes of their strategic IT infrastructure vendors.
• 52% of critical infrastructure organizations always audit the security processes of their cloud service providers.
• 47% of critical infrastructure organizations always audit the security processes of their strategic software vendors.
• 46% of critical infrastructure organizations always audit the security processes of their managed and/or professional services vendors.
• 40% of critical infrastructure organizations always audit the security processes of the distributors, resellers, and VARs that supply them with IT products and service.

The good news is that more critical infrastructure organizations are doing IT vendor security audits today than in the past. For example, only 30% of critical infrastructure organizations always audited their strategic IT infrastructure vendors’ security processes in 2010, compared to 53% in 2015. Clearly, IT vendor security audits have become a cyber supply chain security best practice. 

While this is a positive trend, ESG sees more bad news than good in this data:

1. Nearly half of critical infrastructure organizations DO NOT conduct IT vendor security audits on a regular basis. These are the very firms that provide us with electricity, financial services, health care, telecommunications, etc. Very scary.
2. Critical infrastructure organizations are especially lax around the security of third-party distributors. This is especially troubling since distributors not only source IT products as a proxy for customers but also provide value-added services (i.e. configuration, customization, installation, etc.). This gives distributors absolute carte blanche to corrupt otherwise clean hardware and software.
3. IT vendor security audits tend to be nothing more than some type of annual paper-based checklist. So even if these audits are completely on the level, they are only accurate for a brief period of time once a year.

In my humble opinion, this process is completely broken. On the supply side, IT vendors should do the right thing and build security into their product lifecycles and corporate processes. Some vendors like IBM, Microsoft, and VMware have established and published their cybersecurity practices that serve as a model for the industry at large. On the demand side, enterprises must stop treating IT vendor risk management as a necessary evil and checkbox exercise. Organizations (especially critical infrastructure organizations) should put IT vendors through the ringer, seek out real-time risk management intelligence (i.e. from firms like BitSight and SecurityScorecard), and only buy IT products and services from vendors with strong and proven commitments to cybersecurity.