Automation is key to escaping 'Excel hell'

Third-party risk requires constant monitoring, but too many businesses are stuck using manual approaches

Identifying and managing the risk from third parties - vendors, suppliers and other external partners - is vital, but many companies continue to do so manually: stuck in what Alan MacGillivray, privacy consultant at OneTrust, refers to as "Excel hell".

"There are two main drivers to why private third-party risk is so important today," said MacGillivray at Computing's Cybersecurity Live conference. "The first one is legal. With Article 28 of the GDPR it is the responsibility of [data] controllers to ensure that [data] processors have sufficient guarantees, technical and organisational measures in place to protect the privacy of the subjects.

"The second one is of course technical, and that is that more and more companies are not actually holding the information that they are responsible for, particularly with the growth in cloud software throughout the world. More and more often, there is a third party involved with the processing of information, and it is our responsibility to ensure that this is handled correctly, from not just the legal perspective but also a technical one."

There are three challenges for companies when it comes to this sort of risk management: information, communication and monitoring.

The amount of information that companies collect on partners is huge, and can be spread across multiple departments - especially for multinationals that lack a single-pane-of-glass view. This isn't dependent on the size of the company, either: MacGillivray has seen large firms with just a few technical providers, and smaller companies with "thousands."

The second challenge is managing the communication disconnect, which is that no-one knows who to talk to at a partner in the case of an incident. Often the initial point of contact has moved on since the contract was signed.

Finally is the need to monitor vendors, who could change their approach after you start working with them. MacGillivray described a situation he has encountered several times: "So you've selected your [vendor], you're going to sign the contract after all your security, compliancy, privacy questionnaires, due diligence. Contract signed, you've started working with them, and now - especially in the cloud software industry - the technical organisational measures, nine months later, could be completely different than what you signed up for in the first place."

Most companies MacGillivray has talked to are controlling these challenges with manual processes and storing data in spreadsheets. His reference to that practice as "Excel Hell" drew more than a few knowing nods from around the room!

The lifecycle of vendor risk management

The first step in addressing these challenges is to identify your vendors, the goal being to move away from spreadsheets to an automated process, such as software with a central vendor inventory and ranking system. This way, line of business owners can choose the vendor that best suits them from a self-service portal.

It helps to have some sort of data exchange in place, to assist with ranking vendors and gathering more information on them. Companies like OneTrust keep due-diligence databases of vendors, and so do various government departments. This feeds into the next step: assessing and reviewing vendors. This can take a long time when done manually; automation, enabling dynamic assessments, dramatically speeds up the process. It can also help with tailoring assessments to an individual vendor to identify their use case.

"Once when we won a contract, it was with a manufacturer of plastic parts. One of the questions on their assessment was, ‘Does my product that I'm selling to them contain any lead?' Now I can understand why they would ask me that, but it had absolutely nothing to do with the services we were providing; they just assumed I was just one of their generic suppliers."

With this data, companies can mitigate risks by assessing their vendors' data controls, which may affect SLAs and contracts. "Once we understand the risks we can undertake a plan, we can provide exceptions or we may need to put them out of the contract."

Once all of these is in place, the goal must be to maintain records for security and compliance audits, keeping both the board and regulators informed. Many companies that rely on manual reporting find it difficult to pull usable information from spreadsheets; automating reporting can provide a way to track risk over time.

The final step is to continually monitor vendor partners over time for ongoing insight into risk, which may change over time. "Some may need to be checked quarterly, and others you might check once every five years - it partly depends on what they're doing for your organisation," said MacGillivray. Of course, automating this step is nearly a necessity - especially for companies with thousands of vendor partners.