The vulnerabilities perforating the global supply chain have remained dormant for many years. But the violent disruptions of the pandemic finally pushed these risks to the surface, revealing the detrimental impacts of their exploitation to the world.
As devastating as the deluge of cyberattacks were (and continue to be) at the height of the pandemic, they exposed vendor risk management programs to a much-needed stress test, revealing the inadequacy of conventional strategies and the urgent need for a reformation.
A fundamental risk mitigation function VRM programs must implement in the current threat ecosystem is the ability to segregate critical vendors with the highest likelihood of facilitating supply chain attacks through their security risks.
To learn how to implement a vendor segmentation strategy to bolster your supply chain security and mitigate supply chain disruptions, read on.
What is Vendor Segmentation?
Vendor segmentation is the practice of filtering a view of vendors based on different operational requirements. In the context of cybersecurity, vendor segmentation allows professionals to rapidly focus on the regions of their third-party network requiring security attention.
When applied to Supply Chain Risk Management (SCRM), vendor segmentation allows cybersecurity professionals to identify vendors with the highest likelihood of facilitating supply chain attacks and prioritize their risk management.
Without vendor segmentation capabilities, a Vendor Risk Management (VRM) program is severely limited in its ability to detect and remediate security vulnerabilities in the supply chain.
A Model for Vendor Segmentation
A model for vendor segmentation is a modification of Peter Krajic’s risk matrix with a focus on supply chain security risks rather than procurement risks.
When all third-party vendors are mapped in this security matrix, they are distributed across four quadrants of risk severity.
Security risks in the supply chain are discovered through a collaborative effort of risk assessments, attack surface monitoring, and data leak detection. To learn more about this critical stage of Vendor Risk Management, refer to the following helpful resources:
- What is Vendor Risk Management?
- What is Cyber Risk Quantification (CRQ)?
- How to Calculate Risk Appetite.
- Difference Between Inherent and Residual Risks.
- How to Perform a Cybersecurity Risk Assessment.
Quadrant One represents vendors with a low impact on positive profit margins and a high potential of increasing supply chain security risks. Any vendors in this quadrant should be replaced with more secure and valuable new suppliers. Since vendors at this service level offer the least support towards advancing business objectives, they should ideally be removed entirely and not replaced to keep the attack surface compressed.
The top right quadrant of the supplier risk matrix hosts vendors that are critical for the progression of core business initiatives but also increase supply chain vulnerabilities.
Vendors in this quadrant should be prioritized in the real-time monitoring and risk assessment components of vendor risk management.
Quadrant Three is the optimal quadrant. It’s comprised of service providers that are critical for business continuity and offer the greatest competitive advantage. An ideal supply chain security risk profile is one with the majority of vendors in this matrix quadrant.
Quadrant Four hosts vendors that aren’t integral to the profitability of a business but still offer value. Good information security due diligence keeps supplier relationships at a minimum to minimize the attack vectors arising from digital transformation.
To increase supply chain resilience against cyber threats, vendor distribution should be minimum below this vendor dependency threshold.
Compressing the attack surface reduces connectivity between cyber criminals and your sensitive data.
Because vendors in quadrants one and two are most vulnerable to being targeted in supply chain attacks, their risk profile should be re-evaluated with risk assessments to confirm all residual risks sit inside your specified risk thresholds.
To learn more about calculating a third-party risk appetite, refer to this blog.
4 Methodologies for Vendor Segmentation
The vendor segmentation model outlined above sets the foundation for many different vendor segmentation practices. Four are discussed below.
This vendor segmentation model is best applied with a Vendor Risk Management platform capable of supporting its applications. The segmentation features in the UpGuard VRM platform will be referenced to illustrate how to apply this model to your third-party risk mitigation workflow.
1. Vendor Tiering
Vendor tiering is the practice of categorizing vendors based on increasing levels of criticality. Tier names are customizable, so this structure is adaptable to any cybersecurity grouping requirement.
At a high level, each tier could represent a quadrant in the supply chain security risks matrix.
Distributing vendors into quadrant tiers within your VRM platform allows critical vendors (those in quadrant one) to be readily identified and monitored with greater intensity.
Vendor Tiering also supports regulatory compliance. Highly-regulated organizations, such as those in the healthcare sector, could design a tiering strategy that segregates vendors with the highest potential of negatively impacting regulatory compliance, such as those with direct access to customer data or intellectual property.
A vendor tiering system could also aggregate vendors with similar compliance requirements to simplify risk assessment management.
2. Vendor Portfolios
Vendor Portfolios allow you to segment vendors based on overarching organizational categories. By creating portfolios for each business department, vendors could be segmented based on the departments they serve. For example, filtering the vendor network by the marketing department portfolio would surface all vendors that service that business area.
Filtering vendors by organizational department makes it easier to review the risk registers of each department.
3. Vendor Labels
Vendor Labels allow you to tag each vendor based on their primary characteristics. Labels can be used to tag vendors based on their stage in the onboarding process, or they could indicate whether or not a vendor is in use.
In the context of supply chain risk management, a vendor could be assigned a label based on their corresponding quadrant in the supply chain risk matrix.
When used in combination with the portfolio feature above, this would allow you to segment vendors in each quadrant under each department. For example, you could segment service providers for the finance department that also sit in quadrant three of the supply chain risk matrix.
This segmentation sequence makes assessing attack surfaces at a department level easier, a necessary ability when implementing TPRM into an existing framework.
4. Custom Vendor Attributes
Custom vendor attributes allow you to insert additional structured data into a vendor’s profile to improve filtering and segmentation. This feature supports a deeper level of filtering and segmentation compared to Labels and Portfolios.
For example, a custom field indicating a degree of supply chain security risk could be added to a vendor’s profile, either based on the four quadrants of the risk matrix or an internal criticality scale.
An example of a custom attribute based on an internal criticality scale is a text field indicating the type of resource a vendor has access to and the degree of data they can access. This segmentation design would be especially useful for organizations expected to comply with NIST 800-53 and NIST 800-171, as it would allow filtering based on access to each CUI category.
Another custom field could indicate the vendor’s impact on business profitability.
Segmenting vendors based on profitability and degree of security risks creates data sets that are very valuable to Executive reports for key stakeholders.
Each field is searchable, allowing you to segment vendors based on each field value rapidly. For example, when activating your Incident Response Plan, you could segment vendors based on their authentication levels in your network segmentation architecture.
By including a custom field indicating each vendor’s internal owner, vendors could be segmented by their owner to optimize remediation strategy configurations and metrics.
High-risk partnerships could include a custom attribute with an expected lifecycle end date, allowing you to segment offboarding vendors to track declining access levels.
Vendor Segmentation by UpGuard
UpGuard offers various segmentation methodology options to help organizations optimize their Vendor Risk Management processes.
- Custom Vendor Attributes - UpGuard’s Custom Vendor Attributes feature supports deep-level filtering, helping you locate contract details, account owners, and any critical supply chain security data faster.
- Vendor Tiering - Easily locate and prioritize vendors with the highest potential of negatively impacting your security posture.
- Vendor Portfolios - Group vendors by the departments they serve to simplify access control management and risk register monitoring.
- Vendor Labels - Easily locate vendors based on their vital security characteristics to further accelerate critical risk remediation.