When it comes to third-party vendor management, privacy and security teams do better when they work together. But in many companies, they work independently, leading to inefficiency, duplication of work, and poor implementation.
Dana Simberkoff and Ron De Jesus know this by heart. Simberkoff is AvePoint’s chief risk, privacy, and security officer, and De Jesus is Grindr’s CPO. In this piece, the two industry veterans offer up some advice on how to leverage each others’ similar goals to enable more seamless cross-functional collaboration – particularly when it’s time to review third-party vendors. And there’s so many to review, you know?
How can privacy and security become fam?
The more seamless the collaboration between privacy and security teams, the better things run. Period. Here’s how to start: Get familiar with the technical details of business operations.
For Simberkoff, that means observing how stakeholders do their jobs.
“We make it a particular point to spend a lot of time understanding the technologies used in different parts of our business, and making sure that I understand what marketing does, what sales does, and how HR works,” Simberkoff said. “In that way, I can see not just what they tell me they do, but what they actually do.”
That’s important because sometimes business functions aren’t aware of how their products collect personal information, though they may, in good faith, think they’re on top of it.
“They say, ‘Oh no, of course not,’” Simberkoff said. “But when you actually say ‘Show me how you do this,’ they'll be pulling in email addresses and this and tha. They just don't make those connections.
Part of your due diligence is understanding how other people do their jobs. Be curious. Ask questions that lead to an understanding of the metrics your allies are responsible for and what initiatives drive the marketing team.
De Jesus found inroads to the product by with engineering leadership directly. At his last gig, he reported to the CSO. And that wasn’t an accident. Now at Grindr, he meets with engineers and product people daily.
“I spend almost all my time sitting down with engineers, who really speak engineering, and with product folks; understanding how the software development lifecycle works and what these requirements mean from an engineering perspective. I don't think we can avoid technology now, as privacy compliance professionals,” De Jesus said. “It really is part of our job.”
How do I extend my family tree’s branches across the company?
Gaining privacy champions is all about getting security and other technical stakeholders invested at the right point.
“Something that's been really helpful for us is that when we have a major application that we're bringing in, we try to make sure that we have both a business owner and a technical owner,” she said. “They're both the sponsors and help drive the pre-procurement phase; piloting, testing, and all of those decisions.
The sponsor maintains ownership of that particular vendor’s oversight throughout its contract with the AvePoint.
Are state and global privacy laws honing in on third-party vendors?
The answer is yes.
“Absolutely,” Simberkoff said. “When the GDPR came in with the whole idea of controllers and processors, the concept of companies being responsible for the bad acts of their vendors really came into focus for us in privacy in a way that hadn't been the case before.”
While many of the big companies already had vendor risk assessment programs in place, GDPR copycats in the U.S. have included provisions on privacy and security reviews before purchasing a vendor, as well as part of ongoing regular reviews.
Not only do new laws and policies mandate vigilance on third-party vendors, a recent Biden administration executive order requires federal agencies to provide a “software bill of materials,” a list of the ingredients that make up a software package.
What are some of the pitfalls re: third-party vendor reviews?
Here’s the inescapable truth: There’s an inherent risk when we share data. There’s just no avoiding it. So yes, vendor relationships carry potential risks.
Organizational responses to vendor questions vary. Some of the bigger players are known to be less willing to negotiate with SMEs.
“When you're engaging with the bigger players, like the Googles and Facebooks and the Fortune 1000, it's very difficult to negotiate,” said De Jesus. “You're likely going to have to sign their contract, so you're taking on the risk of being responsible for complying with those terms.”
What are the smart things to do?
Consistency is crucial to vendor management, and using automation tools makes it a lot easier, Simberkoff and De Jesus said.
“I think automation can help address a lot of low-lying fruit,” said Simberkoff. “Even if it's a spreadsheet, I think the key is creating a repeatable process that you can use to create consistent, actionable results over time.”
Simberkoff also recommends setting goals with your partners.
“One of the things that we can do to help our vendors improve is to guide them and advise them,” she said. “Say, ‘Hey, you know, you haven't gone through this kind of certification yet. This is something that would really help mature your program. We'd like to take you on board, but this is what we'd like to see in six months.’”
By keeping an ongoing dialogue, you can help vendors improve over time, improving compliance for both parties.
How can privacy and security leverage shared goals?
An automated, searchable vendor database streamlines vendor management, enabling everyone to get on the same page. Simberkoff and De Jesus noted that sometimes, teams onboard vendors that are already working with a different part of the business because there hasn’t been central notification.
“This has happened a lot in organizations that I've been in, said De Jesus. “I think the left hand should definitely know what the right hand is doing, and that's done through a vendor system that is easily searchable.”
In addition to streamlining vendor management, this approach can also reduce vendor costs.
“You can get better discounts, and you'll have better ability to leverage the relationship if a number of teams within the organization want to use a product or a suite of services. So it’s really critical to be able to search which vendors are already engaged,” De Jesus said. “Accounting can also help with that through contracts.”
Watch the full webinar for more insights on effective collaboration on third-party vendor reviews.