Last week, we discussed the two strategy pitfalls companies face when they realize that they have regulations, laws, and certifications they need to be in compliance with. This post dives deeper into what companies experience when they go down this path.
At any decision-making level, the first step is to identify and understand the specific control catalogs or frameworks like CCPA, COBIT, COSO, FedRamp, GDPR, ISO, HIPAA, NIST, PCI, SOC2, SOX, SSAE18, etc.
Next, you will need to create an assessment to send out to your third parties and ensure that the answers that come back can be mapped to these specific regulations point by point. If your focus is on third parties, the gold standard in assessments is from Santa Fe Assessments. The industry leading (standard) tools are the SIG, SCA, and VRMMM.
You might be thinking, this seems easy. And it can be if you need to assess four or five vendors once or twice per year. Existing staff could manually do these assessments on top of their regular job. While this is not ideal, it is often considered “good enough” to get by.
But you can quickly get lost in the maze.
The SIG mentioned above is over 1,000 questions. Imagine sending all or part of that out to even five of your third-party vendors! All the remediation that will go on via email and shared drives, cloud back up services, and more could include:
- Comments and questions are returned because of confusion surrounding the questions
- Tedious work to attach files or links to file to complete the question and validate the questions
- Questions are missed or not satisfactorily answered
These assessments all need to be done in a specific time frame to remain in compliance which is why most 3rd Party assessments take, on average, 12 weeks to get done. Even the largest and most sophisticated firms don’t assess all their vendors or as frequently and consistently as they would like. Lack of assessing 3rd Party vendors leads to breaches like SolarWinds, Equifax, and Target happen.
The second strategy pitfall is the other extreme of trying to solve the problem within an all-knowing, “eye in the sky” GRC platform. One platform seems to cover all your governance, risk, compliance needs and give you a single system of truth.
Stop! Monolithic, legacy GRC systems today are just like the SAP and Oracle Financial software systems of the 1990s. You will need an army of consultants and developers to modify, configure, install, deploy, maintain, optimize, and change. Here are some direct quotes from customers that chose the old GRC strategy:
“We are so done with old GRC systems. We have taken it as far as we can. I am out of budget for the year, but we still have more business requirements to meet.”
“Our GRC is great for providing an “Enterprise-Wide View” of all of our risks. However, for 3rd Party specific risks, it does not meet our requirements. It takes us 100 days on average to get an assessment out the door. And the recent Solar Winds breach? We “fast-tracked” that and got it out in 30 days.”
“We did not have the budget to extend our existing GRC to begin a formal 3rd Party assessment program and process. The quote for an additional instance of the software, plus implementation costs, plus the time to get it rolled out not only broke the bank but was a non-starter from a company strategic initiative perspective.”
In next week’s blog, we will cover how to change this way of thinking and prepare for a new way of assessments. Subscribe to our blog to read next week’s post!