Third-Party Service Provider Diligence: Why are we doing it all wrong? presented at BsidesLasVegas 2014

by Patrice Coles,

Summary : The demands of Third Party Service Provider vendor due diligence and compliance management are growing rapidly in light of increased emphasis on these programs by regulators as well as outsourcing to reduce operational costs. Historically vendor diligence programs have not adequately and consistently addressed proactive identification of potential risks, ongoing competence of third party service provider, and production of a vendor management program that truly aligns with business strategies, identifies the risks commensurate with the complexity of the business environment, and produces a clear measure of the effectiveness of the provider.
In addition, service providers suffer under the burden of the sheer number of diligence questionnaires, lack of consistency in them, inconsistent workload, and resource conflicts with compliance and sales efforts. Diligence response is potentially labor intensive with the possibility of providing no return on the investment.
Aimed at third party service providers and businesses with vendor diligence programs, this presentation looks at case studies from real service providers and their customers to exemplify the ways that traditional vendor management fails to meet the objectives of today’s business and the regulatory environment. It then proposes a means to rectify these failures and evolve vendor due diligence programs to the next step. Participants will learn how to establish the goals of the vendor diligence program, understand the scope of the product and its potential impact on their environment, define a central body of knowledge, address only what is important, and iteratively evolve their diligence process to provide a more valuable product in less time.