Third-party security vetting: Do it before you sign a contract

If you’re talking about stopping security risks from an outside vendor already on-board, Jerry Archer says, “You’ve already failed.” Chief security officer for Fannie Mae, Archer contends that risk mitigation should begin before your company closes the deal. That’s why his team has a go or no-go vote for any vendor Fannie Mae brings on. That’s not restricted to vendors IT typically oversees, like authentication tech or API gateway services. Not a single tool is onboarded by any department without security’s approval.

With more than 200 vendors total, that task isn’t easy. Archer says companies approach HR or another department, showing them “the shiny new gadget. They need it. They must have it.” The team that will use the software isn’t thinking about security, just functionality. Archer says they tell IT, “‘We can’t succeed without it.’ We all know that in our hearts that’s not necessarily true, but the fact is, people get emotionally tied to stuff and politically tied to it.”

Read more about why Jerry Archer believes security needs to ensure that all vendors and partners, even those not controlled by IT, meet the organization’s security standards, and how organizations can introduce proper third-party security vetting, on CSO.

Track the strategic threats to your business with the Threat Brief, delivered to your email daily.

Subscribe Here