Corporate Security

A Proportionate Approach To Vendor Security Governance

Megan--Cycle Canada Trip 721Traditionally, performing third party due diligence has been primarily a data gathering activity.

Now, with access to abundant information sources, the activity—and the challenges—have evolved. …a potential provider that brags about how comprehensive their due diligence is doesn’t “get it”— it’s also about ranking risks and targeting resources where they are needed.

In addition, not all “red flags” are created equal. Only a few kinds of red flags indicate the need for expensive analyst-led due diligence.

An integrated due diligence system must be able to distinguish between red flags and the level of risk each presents. Many can be analyzed and resolved without expensive and time consuming analyst-led due diligence reports.


The quoted article is centered around a software solution, which I am neither condemning nor recommending. The link is here because the outlined risk based approach to scoping effort is absolutely in line with my thinking. It wasn’t an InfoSec focused article. InfoSec due diligence is it’s own ballgame…my ballgame.images (27)

Despite some huge challenges around choosing and ensuring an acceptable level of security protection when dealing with third parties, the cross over with more general vendor governance is obvious. Logistics and other supply chain approaches have been evolving over many many years (from the first moment a boss decided to get some other bloke to do something he couldn’t do for himself). This is therefore informed by much deeper experience than the supplier security governance knowledge pool.

It is hard to navigate the choppy waters of an as yet poorly defined discipline to find risk, business and cost focused solutions. A way to target scarce resources and build that secure co-operative relationship you need. It takes trial, error and stakeholder and risk management skills equal to (if not exceeding) your security knowledge. I’ve posted in detail about one perspective on finding a path through this mire here.

Your internal team will only get so many chances to get this right. Bringing the full range of operational, procurement, legal, risk, audit, C-suite and supplier stakeholders on-board is tough the first time, but virtually impossible the second or third.

It bears a significant amount of thought, as the risk posed to well secured businesses by their potentially less secure contracted third parties, isn’t going away.  And, let’s face it, everyone’s supply chain is getting longer and more complex the further we venture into the cloud.

Want to add to the discussion?

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.