Managing Third-Party Risks During COVID-19 CrisisPanel of Experts Addresses Vendor Management Challenges
Third-party risk management is a bigger challenge than ever during the COVID-19 crisis because so many organizations are relying on vendors for essential services, such as managing audits and taking care of on premises security, according to a panel of security experts.
Nirupam Srivastava, vice president of strategy, AI and digital transformation at Hero Corp, an auto manufacturing company, says his organization is in touch with vendors to check if they are meeting their compliance requirements.
"We are working with them closely to see what systems and what compliances they follow," he says during a video panel discussion with Information Security Media Group. "Only when they meet our compliance requirements do we take forward our engagement with them."
Some practitioners are tweaking their service-level agreements to suit the current scenario. Amit Dhawan, CISO and DPO at Birlasoft, an IT software company, notes. "We have been approached by one of our vendors who was working on desktops before the lockdown to allow them to use their personal laptops, he says. "In our SLAs [service level agreements] now, it has been mentioned that the vendor needs to put in place certain controls, like a good EDR [endpoint detection and response] which gives us visibility."
In working with vendors to enhance security, imposing a framework doesn't always work, says Yask Sharma, CISO at a large oil and gas company in India.
"A cloud service provider would never give complete control of where their data is. ... So therefore when you try to impose a framework and say a vendor has to meet all requirements, it would not really work," Sharma says. "It sounds nice to have a framework, but whether can we apply this to the vendors is the bigger question."
In this video panel discussion, the participants also discuss:
- The new risks they are anticipating from vendors;
- Whether technology can help mitigate vendor risks;
- Why it is important to redefine SLAs with vendors.
Srivastava is vice president for strategy, AI and digital transformation at Hero Corp. Previously, he was director for strategy and M&A for India and South Asia at LexisNexis.
Dhawan is CISO and DPO at Birlasoft. He has more than 20 years of experience in the IT and information security domain. Before Birlasoft, Dhawan served in leadership roles in eAvighna - an infosec training and consulting startup - and JP Morgan and American Express.
As CISO, Sharma is responsible for the maintenance of cybersecurity operations, infrastructure, and governance at a national critical infrastructure organization. He has more than two decades of experience.