Managing Vendor Risks With Privacy and Information Security Team Collaboration

Many organizations handle large amounts of data which must be carefully protected, used, and controlled in accordance with various privacy laws and regulations. Maintaining and monitoring compliance can be an ongoing challenge for information security and privacy teams, especially when the data is handled by third-party vendors.  

The key to addressing those challenges is through the broader practice of vendor risk management. Information security and privacy teams play a key role in this practice, so it’s essential to encourage collaboration that will keep your organization compliant and protected from vendor risk.  

3 Vendor Risk Management Benefits of Privacy and Information Security Collaboration 

Privacy and information security professionals share similar goals, but they serve different functions. While privacy teams are concerned about why data is collected and how it’s being used, information security teams are concerned about how to secure that data from internal and external threats. However, when these two teams work together in vendor risk management activities, vendor risks are better managed.  

Here's how organizations benefit from privacy and information security collaboration:  

• Incident response—If your vendor suffers a breach or privacy incident, your organization must be prepared to respond to impacted customers. Privacy and information security teams that work together will have a better understanding of where the data exists in your vendor ecosystem and what security controls vendors have in place to protect it. As a result, this can create more efficiencies throughout your incident response process and minimize the impact.   

• Ongoing monitoring—Vendors must be monitored on an ongoing basis, not only to identify performance issues, but also any changes to how they’re handling your data. With new laws and regulations in privacy and information security, such as the new U.S. state privacy laws, CPFB requirements, and more, it’s essential to stay proactive and continuously monitor your vendors. Privacy and information security teams can collaborate to ensure vendors remain compliant and have effective controls in place for any new or evolving data privacy and security risks. These controls might include current privacy and information security policies, evidence of employee training, data security hygiene schedules, and formal processes for issue management. Ultimately, your organization is better protected from ongoing vendor risks when privacy and information security teams work together.  

• Due diligence—Privacy and information security teams can both provide valuable insight into the vendor due diligence process. For example, maybe your organization is vetting a new cloud service provider. This would generally require a review of certain due diligence documents that address compliance and cybersecurity risks, like the vendor’s privacy policy and an incident response plan. The due diligence process allows the privacy team to understand why the vendor needs to collect and store your customers’ data and gives the information security team an understanding of the sufficiency of the vendor’s security controls. All this information can create a more comprehensive vendor risk profile, which ultimately supports the vendor selection process.  

How to Improve Collaboration Between Privacy and Information Security Teams 

Some organizations may find it difficult to foster collaboration between privacy and information security teams, especially when they’ve traditionally operated independently. Here are some tips that can improve collaboration and create a stronger, more effective partnership: 

• Identify a senior leader—It may help to begin by identifying a senior leader within your organization, such as an operations manager or COO, who can supervise and mentor the partnership between the two teams. The senior leader can offer support to these teams by delivering additional resources or identifying areas of improvement. Choosing an unbiased leader can help facilitate better discussions and ensure that both teams collaborate on the same vendor risk management goals.  

• Clarify roles and responsibilities—It’s important to eliminate the potential for any confusion or disputes between teams, which can slow down processes and create errors. Privacy and information security teams should clearly understand their roles and responsibilities throughout each vendor risk management process so they can perform their duties effectively. For example, a typical privacy role might be a privacy compliance manager, who’s responsible for ensuring that the organization is complying with laws and regulations. A role on the information security team might include a security administrator who tests the organization’s network to identify and patch vulnerabilities. 

• Encourage feedback and communication—Both teams should be encouraged to educate each other on their respective risk domains, such as new privacy regulations or an emerging cyber threat that needs to be monitored. Privacy and information security professionals are likely to be more receptive to requests when they understand the “why” of a certain process. A common challenge you may see is different priorities. Data mapping might be a top priority for the privacy team, while the information security team is focused on managing threats and vulnerabilities. Regular meetings and discussions can help both teams better understand each other’s priorities and challenges, which can eliminate misconceptions and identify improved methods of collaboration. It’s also important to encourage feedback from both teams on how to create a better partnership. 

Privacy and information security teams are both essential to vendor risk management and even more effective when they work together for a common purpose. Vendor risks are always changing with new privacy regulations and new cyber threats, but a strong partnership between privacy and information security teams can help organizations stay vigilant and prepared. 

Bridge the Gap Between Privacy and Information Security With Venmonitor

Take a tour of Venmonitor™ to see how Osano has partnered with Venminder to bring you centralized risk intelligence on your vendors.