Moving risk quantification out to “hundreds of vendors - it magnifies the challenges for sure.”
That was FAIR Institute Advisory Board Member Wade Baker framing up the issue of risk in the cloud, covered in the FAIRCON panel discussion “Managing Organizational and Third-party Risk in the Age of Digital Transformation.”
On the panel:
Among the words of advice (or commiseration) you’ll hear from the panel:
“Using a framework like FAIR™ allows you to have a much better conversation with (vendors) on what you think the risks are and what they think the risks are and then we can have a better conversation on controls,” said Chris Golden. Using the numbers generated by FAIR analysis tends to force agreement.
Pay as much attention to offboarding a cloud vendor as onboarding, Jill warned. There’s typically “no checklist to make sure whatever switch you turned on (to send data), you turned off. It’s a gap in the vendor risk assessment process.”
Chris said he’s had good luck working with smaller vendors by offering a cooperative relationship from the start, including applying FAIR analysis. “Say ‘we are giving you a free IT audit. Take advantage of it’.”
Watch the complete video of Managing Organizational and Third-party Risk in the Age of Digital Transformation. FAIR Institute membership and LINK community site membership required.