What Chess Can Teach Us About Assessing Vendor Risk
Assessing vendor risk is a key topic for many enterprises, seeking fit for purpose solutions to get the job done. Over 60% of data breaches coming from vendor portfolios combined with mounting regulatory requirements and data privacy fines are all significant imperatives to get it right. Cybersecurity experts Alex Golbin of IHS Markit and Mike Wilkes of SecurityScorecard discuss how -- just like aligning chess pieces -- applying the right tools in assessing vendor risk can help protect your most valuable assets.
Why are you playing chess with your vendors?
Alex has been playing chess since he was 6 years old: "I've participated in tournaments, traveling from state to state, spending endless hours practicing and studying theory and tactics, and more recently playing online chess. The fact is, I grew up in a family of chess players, and chess was always a topic of discussion and an avid activity in the Golbin household. If I can boil it down to a single most important tip on how to win at chess, I would simply say: know how to pick your opponent."
Unfortunately, the evolution of business in many industries has led to the creation of an adversarial relationship between customers and vendors. Customers often think of a vendor risk assessment as an offensive chess game against their vendors, looking to get as many questions answered as possible, get as much evidence about every policy and procedure that they can get their hands on. Vendors on the other hand play defense, pushing back against often unreasonable customer requests, creating elaborate processes and large teams to deal with endless questionnaires that come in. What's often lost is that almost all customers are vendors themselves and vice versa. And that in the game of chess, the vendors are on our side in the battle against risk and disruption of our business.
It's humorous to note that on far too many occasions we see a bank that's really difficult towards their vendors, sending them extensive due diligence requirements for documentation and attestation, while they themselves push back on providing similar levels of transparency with their own customers.
So, if we shouldn't be playing chess against our vendors then whom should we play chess against? A more effective mindset is to think of vendors as partners in a chess game against various threat vectors. It's important to understand your entire vendor portfolio, how each vendor supports your business function, how much you rely on each vendor for safeguarding your sensitive data, supporting the availability of your critical business services, or shielding you from reputational damage. Together, you and your vendor are playing a chess game against all the bad guys (and sometimes acts of nature) out there.
How is chess different from checkers?
Unlike checkers, each chess piece has its own unique advantages for getting the job done and a certain weight or significance to your gameplay. Similarly, with vendor risk assessments it's critical to apply the right combination of tools with your entire vendor portfolio. For example, critical vendors often warrant a more comprehensive onsite or remote assessment and possibly a penetration test, whereas with lower risk vendors a lighter touch method will normally suffice. The game of chess is also an appropriate analog for vendor risk management because you can play the game aggressively or conservatively, depending on the organizational culture and tolerance for risk that the business will accept.
Can you calculate every possible move in chess?
Unless you are a computer, there is a good chance you won't calculate every permutation of moves ahead. In chess it's important to evaluate every move from multiple dimensions to reasonably assess the favorability of potential positions. In some positions, a pawn can become more valuable than a rook. Similarly, it's important to evaluate vendor risk from multiple dimensions and take a risk-based approach. Using a combination of approaches like inside-out control assessments, financial health and location risk, coupled with outside-in cybersecurity ratings makes for a smart combination and a balanced, multidimensional view. Some vendors are on the board in order to block specific attack vectors while others are there to improve your proactive security posture and prevent security incidents rather than just react to them after they occur.
Is it sufficient to make one great move to win in chess?
Good chess players know that one bad move in chess can cost you the king. The best chess players in the world know that to win, you need continuous reevaluation of your posture after each move. An opponent's knight that was harmless just a few moves ago can become a major threat at any time. Just think about how our collective attack surface has changed since work-from-remote policies came into place this spring. Mitigating controls and tools from your vendors have had to shift accordingly. Similarly, in vendor risk management, continuous monitoring is key. Once a baseline is determined, it's imperative to monitor for any drops in cybersecurity ratings, financial health ratings, negative news, data breaches, changes in location risk, etc.
Do I need to just worry about my queen and king?
In chess, everyone knows that the King should be protected at all cost and the Queen is the rock star on the board that can wreak havoc on your opponent. That said, all pieces are important, and the pawns certainly matter. Similarly, in vendor risk, it's critical to assess vendors that support protecting your crown jewels. However, most of the aggregated risk is actually in a long tail of the broader vendor portfolio (your pawns). Without having fit for purpose cost-effective assessments for lower risk vendors the risk posture is seriously jeopardized. That's where a lighter touch approach of monitoring outside-in risk vectors such as cybersecurity ratings and financial health become especially important.
So how do I put it all together?
It takes years of practice to become a good chess player. It takes strong commitment to become a grandmaster. Similarly, in vendor risk management, doing everything manually isn't going to get you far. Having the right investment in technology and solutions makes a difference between winning, losing or stalemate. IHS Markit KY3P brings together expertise, tools, data from industry leading services, and comprehensive assessments service powered by Big4 firms. In our recent alliance, KY3P and SecurityScorecard brought together a collection of solutions for you to deliver that checkmate.
S&P Global provides industry-leading data, software and technology platforms and managed services to tackle some of the most difficult challenges in financial markets. We help our customers better understand complicated markets, reduce risk, operate more efficiently and comply with financial regulation.
This article was published by S&P Global Market Intelligence and not by S&P Global Ratings, which is a separately managed division of S&P Global.