Last Updated on January 19, 2024
A disturbing fact that often comes to light in conversations with clients and prospects is that IT and information security teams don’t know what vendors their company is sharing sensitive data with. Sure, they can name their most mission-critical vendors, like their payroll provider. But many others, especially newly onboarded SaaS providers supporting everything from file storage to marketing automation to recruiting, are flying under the radar in the realm of “shadow IT.” Others may be hiding behind legacy contracts signed before vendor risk management was the important consideration it is currently.
“The reality is you need to decide if this risk is worth action or inaction. The challenge is knowing what your risk is.”
These days anyone can download an app or plug-in, create an account, pick a low-cost payment plan and put data into the cloud without anybody in IT being aware of it. Most studies by Gartner and others estimate the size of shadow IT to be about 30-50% of IT spending—and that percentage is unquestionably growing as cloud services comprise an ever-greater share of IT expenditures. Projections indicate that as much as 90% of IT spending will shortly be taking place outside the IT organization. In terms of the number of “shadow vendors” involved, Cisco reports that it could be over ten times the number that IT has authorized.
The more vendors your business shares data with, the greater the information security risk—and the greater your need for a consistent and effective vendor risk management process.
Contrary to popular opinion… Vendor Risk Management (VRM) and Third Party Risk Management (TPRM) programs do not need to be time and cost burdens (more on that here).
A vital first step in analyzing and mitigating that risk is to know what vendors your employees are using and what data those vendors are accessing.
Look, we are not in the business of creating fear.
Is it true you most likely have significant risk exposure associated with shadow IT and therefore your vendors?
Yes.
Is it true that establishing a VRM or TPRM program is not in the top 5 priorities for your business?
Probably, yes.
The reality is you need to decide if this risk is worth action or inaction. The challenge is knowing what your risk is.
If you’re unsure about where to start or how to move forward, contact Pivot Point Security. We specialize in helping SMBs implement effective, compliant and cost-efficient vendor risk management and third-party risk management programs.