Joe Filer, Vice President and Chief Information Security Officer (CISO) at Harland Clarke, discussed the future of vendor management during his presentation at the 2014 CISO Leadership Forum in Dallas on Oct. 2. In his presentation, “Vendor Security Risk Management – How to Handle the New Normal,” Filer noted vendor security risk management is important, and auditing and validation is key to avoid security issues with vendors.
According to Filer, documentation plays a vital role in vendor security risk management. If a vendor develops effective risk management processes, Filer said, it can minimize and prevent security issues: “The key component for the vendor security risk management piece for me has always been the documentation part of it. How do I develop something when I’m doing effective vendor security risk management that allows me to document my thought processes associated with performing that risk assessment of an individual vendor so I can provide that to whoever’s interested in seeing it?”
Filer also pointed out consistent security risk management guidelines can have far-flung effects on an organization. In addition, an organization that understands the impact of these guidelines, Filer said, can avoid unnecessary risks: ” There are some real inconsistent guidelines to the management process out there and it’s important to put something together that allows you to continue to be subjected to the cost effective and efficiency space. You have to have a confident sense of the security posture of your key vendors, though, and it has to be one where you’ve been able to build that in a way that doesn’t push them into a place where they don’t want to be a part of the process.”