Insights blog.

You’ve likely heard your fair share of mortifying headlines involving IT vendor management. Many of the highly publicized breaches in the last several years occurred simply because the companies did not follow basic best practices for IT vendor risk management (VRM).

Even with every safeguard in place, it’s simply impossible to avoid all cybersecurity breaches. That being said, there are things you can do to lower the chance of a catastrophic one happening in your organization. By looking at a few recent attack vectors and what can be done to mitigate the risks these companies weren’t prepared for, you can help make sure your organization is prepared for a possible cybersecurity breach. 

PwC recently published The Global State of Information Security Survey 2016, which highlights security trends in a number of industries and key themes across all industries.

Vendor management spans a wide variety of topics: from contracts, to metrics, to relationships, and beyond. But one of the most critical aspects of vendor management—particularly for a CISO—is how to manage the risk your vendors bring to the table. 

The importance—and urgency—of cybersecurity measures have become increasingly visible in recent years. Yearly industry reports from the likes of Verizon, Trustwave, and PwC all express the importance of cybersecurity measures and the costly consequences of cyberattacks. No company wants to become another data breach statistic—but some decision-makers still may not understand the urgency of cybersecurity protection. 

Surveys highlighting third-party security and supply chain risk management best practices are conducted regularly. Many of them draw a similar conclusion: that supply chain risk management is a critical issue IT professionals are aware of, but the awareness isn’t necessarily leading to actionable (or effective) programs and policies.

According to Merriam-Webster, proactivity is defined as “controlling a situation by making things happen or by preparing for possible future problems.
Its antonym, reac

We’ll start by saying there isn’t anything inherently different about a U.K. cybersecurity strategy compared to one in, say, the U.S. But many countries do face some specific cybersecurity strategy challenges, whether they’re regulatory or situational—and the U.K. is no exception.

Before we go into details about managing information risk, let’s start with a working definition we can refer back to:

Touted as “history’s biggest data leak”—with over 2.6 terabytes of information compromised—the “Panama Papers” is one recent data breach that has drawn a great deal of press over the past few weeks. Over 11 million documents were leaked from a renowned Panamanian law firm, Mossack Fonseca, which specializes in offshore holdings. The firm claims their email server was breached, which compromised the files. The papers were obtained by a German newspaper, shared with International Consortium of Investigative Journalists (ICIJ), and revealed over 200,000 offshore companies. It is not yet clear how many of these holdings are facilitating illegal or unlawful activity.

Some of the largest data breaches in history happened in 2015. Notable breaches on that list include PNI Digital Media, Anthem Insurance, and The Office Of Personnel Management. These three weren’t necessarily the top data breaches of last year in terms of size or impact, but they were important because these organizations were so highly trusted and recognized in their respective industries.

The financial services industry is a leader in many aspects of cybersecurity performance and has set the standard in areas like vendor risk management. Why? Because risk is built into their culture. Inherent in the financial services industry is how to measure and mitigate risk, and they’ve become very effective at it.

It goes without saying that the following data breaches were incredibly damaging, both to the companies and to those affected. Each has resulted in some level of data loss, financial loss, and reputational harm. Below, we’re exploring what some of the top breaches in 2015, 2014, and 2013 were and examining the commonalities and differences between them.

This is a two-part blog post. First, you'll discover 5 things to keep in mind when selecting a vendor management software. In the second part, you'll read on to uncover the pros and cons of the many vendor risk management tools that organizations have to assess third party vendors. 

This post was updated on September 14, 2020.