I was listening to the Risk Hose podcast last week. Second only to the conversation about the efficacy of a Cyber-Hadoop instance for cyber-managing cyber-risk, the most interesting cyber-portion of the podcast was the discussion about vendor management. Alex flew off on a spectacular tirade against vendor management by spreadsheet. Listening to the rant was pretty entertaining, but it left me wondering for a moment. I suspect a number of organizations use spreadsheets to manage their vendor relationships. In fact, I will admit to relying on a spreadsheet or two for vendor management in the context of information risk. Could I and the rest of the spreadsheet users out there just be completely stupid and irresponsible? Possibly, but not because I use spreadsheet questionnaires for managing vendor-related information risk.
To be fair, I think the rant was against using spreadsheet compliance as the only control managing vendor risk. If the only thing you have going for you is a spreadsheet full of answers of questionable accuracy, you are probably fall into the stupid and irresponsible bucket. You'll get what you deserve just like a little boy peeing on an electric fence. (Not that I have any experience with that or anything.)
We all know you can eliminate, mitigate, accept, or transfer risks to manage them. I suspect most INFOSEC pros would prefer the turn-your-head-and-cough security assessment to eliminate the risk.
Unfortunately, that is not always possible. Sometimes the business doesn't have the time or inclination to implement suggested controls. Sometimes you don't have the resources you need to do the kind of vendor risk management you want. Sometimes the business sees documentation of bad security practice and wants to proceed anyway. In short, sometimes the business is comfortable accepting the risk. We don't have to like it, but we do have to manage it. That's where we put the INFOSEC hat back on the hook and grab the Information Risk Hat. (Just leave the Ass Hat alone.)
I think compliance questionnaire spreadsheets enable us to manage risk through mitigation. Rarely do organizations exchange security spreadsheet questionnaires just to share information. It is usually done in the context of a legal contract of some sort. That contract is the primary mitigation tool. The trick is linking your spreadsheet to the remedies listed in the contract. Legal and Information Security have a symbiotic relationship in this case. Security documents in the spreadsheet where the loss is most likely to happen and Legal knows how to mitigate the loss if it happens. Lining up your compliance spreadsheet and the remedy clause of your contract can save your bacon by holding your business partner accountable for all or some of the losses resulting from weak responses to your compliance spreadsheet.
So, while spreadsheets might be sub-optimal for vendor management, they might be reasonable risk management. Assuming you link the spreadsheet to a contract with teeth.
What are your thoughts?