Securing your organization’s private data when vendors have access to it means managing relationships from beginning to end, panelists at Compliance Week’s virtual Cyber Risk and Data Privacy Summit agreed.

It’s essential to monitor “the entire life cycle of the relationship with the third parties, from onboarding to offboarding, birth to death,” said David Kessler, vice president and associate general counsel, IT and cybersecurity at BAE Systems, during a panel discussion.

McKenzee McCammack, regional compliance manager at American Express Global Business Travel, said vendor management at her company, which holds large amounts of personal customer data from passports to dietary restrictions, means scrutinizing potential vendors about what security measures they have in place.

“We have to feel good about the data we house and protect and the vendors we onboard,” McCammack said.

Some companies interact with the personal data of individuals and others house business-to-business information, said Joshua Marpet, chief executive officer of MJM Growth. “But at the end of the day, we all have data” that needs to be secured, he said. Especially if it includes information that is “mission critical” or in the category of a “crown jewel,” Marpet added.

The potential cost of not performing vendor due diligence prior to onboarding can be incalculable, such as when a company’s reputation is tarnished in a data breach involving a vendor “and you have to notify hundreds of thousands of customers and face an investigation, fines, and penalties,” Kessler said.

That is no truer than in the defense sector, where a loss of data could present a national security risk and put lives at stake, Kessler added. “Size does not matter in this particular case,” he joked.

A good first step when considering a new relationship with a vendor is to review the risk-based analysis or conduct one, especially to understand access controls, McCammack said. She advised looking at the vendor’s cybersecurity insurance, if it has it, and checking what thresholds it includes.

American Express assigns different levels of potential risk to vendors, McCammack said. “If they pose a lot of risk, we do a further review,” she said.

BAE is a defense contractor that relies on many subcontractors, and all must be compliant with government regulations around cybersecurity, Kessler said. Every defense subcontractor is reviewed and assigned a risk score, which is entered into a government database.

“Defense contractors look at the score and see if that vendor may be too risky to do business with,” Kessler said.

“Your business should never be in the position of needing this vendor right here, right now and no one else will do.”

David Kessler, VP and Associate General Counsel, IT and Cybersecurity, BAE Systems

When it comes to risk analysis of vendors, “our general counsel says, ‘Go slow to go fast.’ Do it right, get it right, and then you can move at the speed of business,” he said.

If potential vendors are not cooperative with the review, move on and find another subcontractor. “Your business should never be in the position of needing this vendor right here, right now and no one else will do,” Kessler said.

Regarding how to get buy-in from the C-suite to spend on risk reduction, McCammack pointed out offering heightened data security to clients is a competitive advantage.

“If you are the best in data security, you are the best in the business,” McCammack said. “… Our clients are asking where their data is going.”

Many larger businesses are shifting their internal architecture and relationships with third parties from that of “risk management” to “zero trust,” especially after a May 2021 White House executive order touting this tougher standard, Marpet said.

“Zero trust is a way to have authentication around every piece of data. This is where we are now,” Marpet said. This might include detailed information about the software on which a business relies, called a software bill of materials (SBOM). The White House is requiring any new software it purchases includes an SBOM.

Something to keep in mind is that at most organizations, vendors are generally reviewed about risk once a year. That analysis “is only valid for the first few minutes,” Marpet said. The trend is toward “continuous risk management on our vendors,” he said.