Page 25 - Cyber Defense eMagazine February 2024
P. 25
So, monitoring and managing vendor security is no longer a nice to have. It is a need to have. And the
regulators have taken notice. Most privacy laws include a cybersecurity audit or vendor due diligence
requirement.
For example, the General Data Protection Regulation (GDPR), the EU data privacy law, mandates due
diligence on processors to ensure they comply with data protection and security measures. Review
Articles 28, 24, 29 and 46 for their obligations regarding the roles of controllers and processors. Similarly,
Article 9 of the California Privacy Protection Act (CPPA) requires cybersecurity audits of service providers
and the service provider’s corresponding cooperation. Similarly, the NY Shield Act obliges businesses to
have “reasonable safeguards” that includes vendor due diligence.
This evolving regulatory environment, coupled with the substantial risks and costs associated with
vendor-related data breaches, underscores the need for a more sophisticated and robust approach to
vendor management. Addressing these challenges is critical to safeguarding organizational and
customer data in an increasingly interconnected ecosystem.
Generative A.I. has a role to play in advancing an organization’s ability to comply with these regulations
and improve the vendor management audit process.
2. Current Vendor Management Practices
Currently, vendor management is a procurement function that faces a headwind of silos and biased
perception. When a buyer is in the market for a new vendor, the business owner conducts the search,
ultimately choosing the vendor prior to the input from any other business unit. This selection in a silo
process costs the organization which in turn puts pressure on procurement, legal, privacy and security
teams to “approve” the vendor. While these teams likely are able to withstand such pressure; it is at a
cost, which is the cost of their relationship with a colleague.
In addition, each of these teams has their own agenda, priorities and expertise. Typically, the
procurement team is incentivized to negotiate the best price, regardless of whether that may require
foregoing some of the vendor’s offered security enhancements. Legal and privacy are responsible for
vendor compliance with policies and laws, which requires review of contract terms and redlining of
unfavorable terms. The security team is similarly tasked with vendor compliance with policies and security
regulations, which they satisfy through questionnaires or third-party audit reports.
Therefore, not only must they be prepared with paperwork for the vendor and knowledge of privacy and
cybersecurity, but they also have to be ready, at any given moment, to drop what they are doing and
review the information that the vendor sends back to them.
All the while, the business unit buyer sees these colleagues as blockers to reaching the desired
outcome.
Finally, once the vendor is selected, the ongoing monitoring is even worse. Whose job is it to send the
annual review? Who conducts that annual review and keeps track of it? How are they going to prove to
the regulators that they have complied with the law?
Cyber Defense eMagazine – February 2024 Edition 25
Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
