Obtain the data you need to make the most informed decisions by accessing our extensive portfolio of information, analytics, and expertise. Sign in to the product or service center of your choice.
Assessing vendor risk is a key topic for many enterprises,
seeking fit for purpose solutions to get the job done. Over 60% of
data breaches coming from vendor portfolios combined with mounting
regulatory requirements and data privacy fines are all significant
imperatives to get it right. Cybersecurity experts Alex Golbin of
IHS Markit and
Mike Wilkes of SecurityScorecard discuss how -- just like
aligning chess pieces -- applying the right tools in assessing
vendor risk can help protect your most valuable assets.
Why are you playing chess with your
vendors?
Alex has been playing chess since he was 6 years old: "I've
participated in tournaments, traveling from state to state,
spending endless hours practicing and studying theory and tactics,
and more recently playing online chess. The fact is, I grew up in a
family of chess players, and chess was always a topic of discussion
and an avid activity in the Golbin household. If I can boil it down
to a single most important tip on how to win at chess, I would
simply say: know how to pick your opponent."
Unfortunately, the evolution of business in many industries has
led to the creation of an adversarial relationship between
customers and vendors. Customers often think of a
vendor risk assessment as an offensive chess game against their
vendors, looking to get as many questions answered as possible, get
as much evidence about every policy and procedure that they can get
their hands on. Vendors on the other hand play defense, pushing
back against often unreasonable customer requests, creating
elaborate processes and large teams to deal with endless
questionnaires that come in. What's often lost is that almost all
customers are vendors themselves and vice versa. And that in the
game of chess, the vendors are on our side in the battle against
risk and disruption of our business.
It's humorous to note that on far too many occasions we see a
bank that's really difficult towards their vendors, sending them
extensive due diligence requirements for documentation and
attestation, while they themselves push back on providing similar
levels of transparency with their own customers.
So, if we shouldn't be playing chess against our vendors then
whom should we play chess against? A more effective mindset is to
think of vendors as partners in a chess game against various threat
vectors. It's important to understand your entire vendor portfolio,
how each vendor supports your business function, how much you rely
on each vendor for safeguarding your sensitive data, supporting the
availability of your critical business services, or shielding you
from reputational damage. Together, you and your vendor are playing
a chess game against all the bad guys (and sometimes acts of
nature) out there.
How is chess different from checkers?
Unlike checkers, each chess piece has its own unique advantages
for getting the job done and a certain weight or significance to
your gameplay. Similarly, with vendor risk assessments it's
critical to apply the right combination of tools with your entire
vendor portfolio. For example, critical vendors often warrant a
more comprehensive onsite or remote assessment and possibly a
penetration test, whereas with lower risk vendors a lighter touch
method will normally suffice. The game of chess is also an
appropriate analog for vendor risk management because you can play
the game aggressively or conservatively, depending on the
organizational culture and tolerance for risk that the business
will accept.
Can you calculate every possible move in
chess?
Unless you are a computer, there is a good chance you won't
calculate every permutation of moves ahead. In chess it's important
to evaluate every move from multiple dimensions to reasonably
assess the favorability of potential positions. In some positions,
a pawn can become more valuable than a rook. Similarly, it's
important to evaluate vendor risk from multiple dimensions and take
a risk-based approach. Using a combination of approaches like
inside-out control assessments, financial health and location risk,
coupled with outside-in cybersecurity ratings makes for a smart
combination and a balanced, multidimensional view. Some vendors are
on the board in order to block specific attack vectors while others
are there to improve your proactive security posture and prevent
security incidents rather than just react to them after they
occur.
Is it sufficient to make one great move to win in
chess?
Good chess players know that one bad move in chess can cost you
the king. The best chess players in the world know that to win, you
need continuous reevaluation of your posture after each move. An
opponent's knight that was harmless just a few moves ago can become
a major threat at any time. Just think about how our collective
attack surface has changed since work-from-remote policies came
into place this spring. Mitigating controls and tools from your
vendors have had to shift accordingly. Similarly, in vendor risk
management, continuous monitoring is key. Once a baseline is
determined, it's imperative to monitor for any drops in
cybersecurity ratings, financial health ratings, negative news,
data breaches, changes in location risk, etc.
Do I need to just worry about my queen and
king?
In chess, everyone knows that the King should be protected at
all cost and the Queen is the rock star on the board that can wreak
havoc on your opponent. That said, all pieces are important, and
the pawns certainly matter. Similarly, in vendor risk, it's
critical to assess vendors that support protecting your crown
jewels. However, most of the aggregated risk is actually in a long
tail of the broader vendor portfolio (your pawns). Without having
fit for purpose cost-effective assessments for lower risk vendors
the risk posture is seriously jeopardized. That's where a lighter
touch approach of monitoring outside-in risk vectors such as
cybersecurity ratings and financial health become especially
important.
So how do I put it all together?
It takes years of practice to become a good chess player. It
takes strong commitment to become a grandmaster. Similarly, in
vendor risk management, doing everything manually isn't going to
get you far. Having the right investment in technology and
solutions makes a difference between winning, losing or stalemate.
IHS Markit KY3P brings together expertise, tools, data from
industry leading services, and comprehensive assessments service
powered by Big4 firms. In our
recent alliance, KY3P and SecurityScorecard brought together a
collection of solutions for you to deliver that checkmate.
Posted 24 September 2020 by Alex Golbin, Global Head of Assessment Services, KY3P, IHS Markit
IHS Markit provides industry-leading data, software and technology platforms and managed services to tackle some of the most difficult challenges in financial markets. We help our customers better understand complicated markets, reduce risk, operate more efficiently and comply with financial regulation.