BDO, IDRRA Join Forces to Offer Vendor Risk Management Solution

BDO, IDRRA Join Forces to Offer Vendor Risk Management Solution

L-R: Sivan Dror, Kobi Freedman, and Noam Hendrucker (Photo: Ami Rojkes Dombe)

Supply-chain threats have risen to the highest priority for regulators in the cybersecurity and finance fields, in large part because it is clear that the traditional perimeter protection approach has failed. In reality, business functions make it such that there is no longer a perimeter, and the largest businesses interface with hundreds or thousands of third-party suppliers. Although this problem has existed for many years already, and although the regulators have recently awoken, there aren’t real scalable solutions to manage supply-chain threats.

“Risk assessments find, on average, about 15 gaps that need to be addressed,” explained Kobi Freedman, Founder and CEO of IDRRA, the company that developed the platform. “An additional statistic is that 70% of the time, the same gaps are found again and again, year after year (i.e., they are not being addressed). The reason for this is scale. If you have 1,000 vendors, that mean 15,000 gaps that need to be managed. For an organization, even a large one, this is a nearly impossible task.”

IDRRA identified this market opportunity and developed a cloud-based platform to manage cybersecurity threats posed by the supply-chain (vendors). IDRRA chose not to go the way of being a broker of vendor data, but provide a solution to the enterprise and join forces with a large audit firm. Thus the connection with BDO, which operates in over 160 countries, was born. BDO already provides consulting services in cybersecurity, finance, and other fields, to include SOC. The collaboration is a natural fit.

Why should vendors cooperate?

“Organizations considered to be critical infrastructure and organizations that are subject to regulation are required to address supply-chain threats,” explains Noam Hendrucker, Director and Head of the BDO Cyber Security Center Israel. It’s also important to remember that even organizations that aren’t subject to regulation or government inspection are required to implement the suggestions of the Israel National Cyber Directorate (INCD). While this is not a formal requirement, if an organization were to find itself subject to legal action because its systems were used to attack its customers, people would question whether or not the organization implemented the INCD’s suggestions.

“The cybersecurity risk management field suffers from a number of core issues today. First, the number of vendors. Banks and insurance companies, for example, cannot evaluate all of their vendors. They work with questionnaires and Excel spreadsheets while sending consulting resources to a small portion of their vendors for an on-site inspection. In general, these consulting resources only make it to critical vendors. There is no organized way to manage hundreds or thousands of vendors and to evaluate the effectiveness of the controls,” explains Hendrucker.

“Large organizations are able to get to about 5%-10% of their supply-chain on average each year. There could be a large number of occasionally active vendors that interface with the organization sporadically.  There are also vendors that operate in the shadows, to get around an organization’s standard financial management policies and procedures. These are the vendors that the organization uses to make small purchases directly, rather than going through the standard procurement process (usually managed in SAP or another ERP system). Usually about a fifth of an organization’s vendors are critical ones. The result of this is that critical vendors are not checked as is necessary from an information security perspective.”

Bring Your Own Compliance

The IDRRA platform is a cloud-based, modular solution designed to allow for third-party services to be connected with ease. Whether those services are supplied by BDO (e.g., consulting or financial services), or through a third-party risk evaluation tool. These may include vulnerability scanning tools, penetration tests, intelligence, insurance, and others. At this stage, BDO has exclusive rights to the managed service solution in Israel, and there are already deals in the works with organizations in Australia, the US, and the Netherlands.

“There are vendors who provide scanning, such as Nessus and others, but they don’t give the complete picture, but rather, only a portion of it,” explains Freedman. “On the other hand, there are consulting companies that provide on-site inspection. We provide a continuously updated picture of the organization’s entire Vendor Risk Management (VRM) program. Take the scanning view, for example.  We facilitate leveraging well-known vendors in the field, such as Normshield, SecurityScorecard, and others. Their results interleave into our platform to round out the picture of the vendor.”

[Screen capture from the IDRRA platform]

 

“The use of APIs allows for the integration of a wide variety of third-party tools, where each one provides verification of a different control,” said Freedman. “We also look at the intersection of regulation and information security. Regulations that come from different perspectives, such as cybersecurity, data protection, and privacy, have overlap between them. We have developed technology that gives each vendor its appropriate profile, and then we align the assessment to the relevant areas and identify the relevant gaps. We have developed a system that facilitates working with 1,000 vendors, while still approaching each vendor uniquely.

“A business that needs to move from examining a few dozen vendors to thousands faces a complex task.  In order to succeed, we developed a wide variety of automated controls and benchmarks. The system also includes a technique for informed decision-making that creates vendor profiles automatically. The advantage of this is that when an organization connects to the system, they are immediately set up as one of the predefined profiles. For vendors that work with a number of different organizations, this is a significant improvement. The vendor goes through the assessment once via the IDRRA platform and can leverage those results for a number of different organizations.

“The use of AI facilitates efficiency in the analysis of evidence provided to verify controls. Instead of a consultant sitting with Excel spreadsheets and verifying evidence over a period of five hours, the system analyzes the files in a fraction of a second. Instead of a consultant noting that there is a security camera, the vendor can upload a picture to the system. These are just a few examples of the ways in which IDRRA saves time and money for both the organization and the vendor.”

Tower of Babylon

Another point to consider from the vendor’s perspective is that the languages used by the different organizations it works with vary. Two banks will each approach controls and benchmarks differently and will require the vendor to go through separate assessments, even though the difference between them is only one of a different organizational language. “Today, the vendor is forced to go through the VRM process twice, once for each of the two banks in this example. Our system knows how to take one organization’s language and quickly convert and synchronize it to the system’s standard language,” said Freedman. “We call this ‘bring your own compliance.’”

When a vendor joins the platform, it automatically receives the correct profile, controls, and benchmarks. This doesn’t require any installation on the customer side. Even so, IDRRA is already thinking about future development that will allow internal threat monitoring on the customer side. When this happens, it will require some installation on the customer side. “We also want to automate decision making in the field. If there is a critical vendor with risk level X, and a less critical vendor with risk level Y>X, which one should be handled as a higher priority? The multidimensionality of the vendor risk problems requires automated decision-making,” said Freedman.

IDRRA’s largest customer uses the platform to manage about 3,500 vendors. In total, there are around 15,000 vendors using the system around the world. “We have developed an additional capability to map risks for second-degree vendors (i.e., a vendor of a vendor). At this time, there is no plan to map risk levels for vendor employees as another level of risk mapping. The primary reason for this is that lack of regulatory stability in that area at this time. When that happens, we will certainly move in that direction,” concluded Freedman.

[Screen capture from the IDRRA platform]

 

There is no doubt that the IDRRA platform gives BDO a competitive advantage in the cybersecurity consulting market at a time when that market is actively looking for VRM solutions. However, it’s safe to assume that competing accounting firms will also want to move in this direction, and in the future, vendors will need to register for a number of competing platforms if they want to work with their customers.

An additional challenge that is currently unsolved but can be solved through a platform like IDRRA is that of VRM on a global scale across multiple different countries, languages, laws, and regulations. “Our vision as a global company is to supply a VRM solution as a part of our managed cybersecurity solution at BDO,” concluded Hendrucker. “We are already working on connecting the platform to our SOC service as part of the process.”