Skip to content

Is It A Risk That I Can’t Keep Up With Vendor Risks?

Posted by: Gary Brickhouse

3 min read

When our cars don’t have any gas in the fuel tank, they won’t run. When your Internet speeds are slow, video streaming quality is poor. When your Third-Party Risk Management programs are not mature, it can put your entire organization at risk. 

Supply chains or third parties, also known as vendors, were not always a significant issue for companies. Of course, everyone had their challenges, but the risk to an organization was not as profoundly tied to vendors as they are today. One primary reason for this is the advancements in technology, communication, and applications. We can connect services in the blink of an eye using API calls and shared databases, allowing for quicker turnaround times and usually less spend. This, in turn, leads to the ability to onboard new vendors into our organization very quickly. This quickness is not always a great thing, especially when it comes to risk.

Most Third-Party Risk Management programs are small and isolated, often without dedicated resources. These teams simply don’t have the bandwidth to collect and assess all of the information that is needed for every vendor. With the number of vendors ever-increasing, the ability for the Third-Party Risk Management team to scale with the volume of new, incoming vendors can become insurmountable. The same is true for the growing backlog of vendors that need to be reassessed also.  Complicating the issue even further is “shadow IT” enabled by technology advances. Employees can quickly go to a website, and within a few clicks and a credit card can set up some type of vendor service without ever discussing with IT or procurement.

Additionally, over the last several years, there has been a significant push from a compliance perspective to mandate Third-Party Risk Management programs to identify and address vendor risk. Through regulations and standards like FFIEC, HIPAA, NYDFS, NERC CIP, and the PCI DSS, organizations that fall under these and others are given specific requirements for managing and maintaining those vendor relationships.

With all that is required for analyzing new and existing vendors, resource bandwidth becomes a significant issue.  Having a robust Third-Party Risk Management Program is critical to maximizing your available resources.  From an established process to identify new vendors to developing an assessment strategy based on the risk of the vendors, these are just the beginning steps to getting your Third-Party Risk Management Program off the ground.  These are important foundational steps to introduce scalability into your program, allowing you to focus your resources on those vendors posing the most risk to your organization. 

For more information on how to continue down the road to building or mature your Third-Party Risk Program, read our White Paper, “Key Components to Addressing Third-Party Risk.”

About GuidePoint Security

GuidePoint Security provides trusted cybersecurity expertise, solutions and services that help organizations make better decisions that minimize risk. By taking a three-tiered, holistic approach for evaluating security posture and ecosystems, GuidePoint enables some of the nation’s top organizations, such as Fortune 500 companies and U.S government agencies, to identify threats, optimize resources and integrate best-fit solutions that mitigate risk.

Contributing Author

Gary Brickhouse

Gary Brickhouse, VP, GRC Services & CISO, GuidePoint Security

Gary is responsible for all aspects of GuidePoint’s Governance, Risk, and Compliances services including building and managing the GRC team; offering and collateral development; pre-sales and sales enablement support; practice methodology; and service delivery.

Categories: Governance, Risk & Compliance

Gary Brickhouse

CISO,
GuidePoint Security

Gary Brickhouse, CISO and VP of GRC Services at GuidePoint Security, began his career in the security industry in 2001. Gary is GuidePoint’s internal CISO and is responsible for all aspects of the company’s information security program, inclusive of building and maintaining our internal security architecture and control practices. Gary also leads the GRC Services consulting practice where he is responsible for the development and delivery of GRC service offerings to support our clients. This unique position allows Gary greater visibility into customer needs from an industry services perspective and also as a practitioner, addressing the same risks for GuidePoint.

Previously, Gary was the Security and Compliance Architect for The Walt Disney Company, working on a large, multi-year business program where he served as the subject matter expert for compliance, data privacy, infrastructure and application security as well as securing emerging technologies like RFID. While at Disney, Gary also served several years as the Compliance Manager responsible for the oversight and execution of the parks and resorts’ compliance programs. Previous to working at Disney, Gary was an Information Security Specialist at Publix Super Markets, one of the nation’s largest retailers.

Gary is a frequent speaker at industry conferences and webinars, covering a wide array of information security topics. He earned a Bachelor of Science degree from Florida Southern College, holds the Certified Information Systems Security Professional (CISSP), and is an ITIL v3 expert.

Customer Success Story: Wyndham Hotels & Resorts
Hear how Wyndham Hotels & Resorts relies upon GuidePoint Security as a trusted advisor and extension of its security team.
Watch Now

Related Articles

View All

  • Blog
Cybersecurity Awareness Month: The Risks of Ignoring the Cybersecurity Skills Gap
Posted by: Kevin Woods
Read More 6 min read
  • Blog
GuidePoint Security researcher discovers vulnerability in the integrity of common HMI client-server protocol
Posted by: Pascal Ackerman
Read More 17 min read
  • Cybersecurity
Cybersecurity Week in Review: 10/26
Posted by: GuidePoint Security
Read More 5 min read