Industry Insights with Tony Howlett

3rd Party Risk Management , Access Management , Business Continuity Management / Disaster Recovery

What's the Return on Investment of a Vendor Management Platform?

Improve Vendor Remote Access Security, Reduce Third-Party Risk AND Reduce Costs
What's the Return on Investment of a Vendor Management Platform?

The success of business projects and the associated technology solutions to implement them are almost always graded on how much return on investment (ROI) they deliver back to the business for the investment required. And information security projects have always been notoriously difficult to propose in these terms. Many managers and executive-level managers see InfoSec projects in black and white terms - as a binary outcome of either hacked or not hacked. This ends up with the project or implementation being seen as an insurance program of sorts that delivers very little day-to-day operational benefit.

Speaking of security solutions in pure dollar ROI can be difficult when trying to promote InfoSec initiatives but fortunately, one hot topic these days third-party risk management and vendor management solutions can deliver tangible ROI benefits as well as security improvements, especially when it comes to the area of remote access. Finding a solution that implements your security goals when it comes to managing third-party vendors' access but is also more efficient than your current solution, or lack thereof, can be a route to showing real ROI from your project and even paying for itself over the long-run.

This is because most companies implement a third-party access solution both insecurely AND inefficiently. All while costing IT workers productivity and creating security vulnerabilities. However, there are several areas that efficiencies can be wrung out of these processes at the various stages by choosing the right vendor management solution.

Savings in Onboarding

First of all, having a secure and efficient onboarding process for providing vendors with remote access can save a lot of staff time as well as minimizing the human error which can lead to misconfigurations and security vulnerabilities. When giving remote access to third parties, companies often rely on manual forms and other methods of verification that can be very time-consuming. Using a vendor management system allows for vendors to self-register and automating the verification of these registrations with emails to the application owners can take IT out of the loop and still assure validation of the login.

We all know that VPNs are often used to give third parties remote access. This is both insecure as VPNs are huge vectors for attacks with the broad network access they provide and inefficient as it requires another step to provide access to the individual hosts. A vendor management system that eliminates the VPN and provides an encrypted tunnel to only the servers and ports required in one step can eliminate a lot of extra work and chance for error. If you have a lot of vendors being onboarded, these savings can add up quickly.

Savings in Offboarding

The inefficiencies and insecurities of an unmanaged onboarding process for vendors will also manifest similar issues when trying to offboard vendor reps after they either quit or are terminated by your vendor. Synching with vendors on who has left their workforce and therefore needs to be removed from your system and network is a manual and cumbersome process. And depending on how often you do it, there can be a long window of vulnerability where former vendor employees still have access to your systems.

Implementing a modern vendor management system allows you to federate credentials from your vendor's directory. This allows for automated syncing of user bases as the users will be removed from access as soon as their credential is revoked by the vendor, which is usually immediately upon termination. This combines cost savings in the time and effort to manually remove vendor reps from your own directory services with a near real-time removal of former third-party employees. Security plus operational savings can be achieved this w

Savings in Audit Review Time

On the compliance side, enterprises in regulated spaces such as healthcare, finance, and gaming often have to provide detailed audit logs of all remote access by third parties. Compiling these reports for auditors can be very time-consuming. A study showed that the average organization spends over 17,000 hours annually compiling reports and investigating incidents. A vendor management solution that aggregates these access logs can make these tasks much easier. By providing a Single Source of Truth (SSOT) for vendor access information, you can easily report on all vendor access as well as catch any security issues sooner than you could by sorting through multiple log files from different sources.

Save More Than Just Money

If you're looking to improve your vendor remote access security while reducing third-party risk AND reducing costs, look for systems with one or more of these features. Then you'll be able to show both operational efficiencies and increased security in your project ROI analysis. And that is a rare combination in InfoSec these days.

An emerging technology, Vendor Privileged Access Management (VPAM) can provide all these benefits in a single solution. Armed with new data and knowledge on ROI, approving your vendor management project should be as simple as ABC.



About the Author

Tony Howlett

Tony Howlett

CISO, SecureLink

Howlett is a published author and speaker on various security, compliance, and technology topics. He serves as President of (ISC)2 Austin Chapter and is an Advisory Board Member of GIAC/SANS. He is a certified AWS Solutions Architect and holds the CISSP, GNSA certifications, and a B.B.A in Management Information Systems. He is currently the CISO of SecureLink, a vendor privilege access management company based in Austin.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.