With vendor risk management, the devil is in the details. But the ability to actually navigate the third-party risk landscape comes from experience.

At the “Enforcing Third Party Vendor Compliance” session of ALM's cyberSecure conference, in-house professionals at the forefront of their organizations' vendor management programs offered insight into some of the most pressing concerns and opportunities they faced while ensuring their companies' cybersecurity.

Here are three main insights from the session:

1. The Target Takeaway: Is Total Protection Possible?

While managing vendor risk is a necessity, managing every instance of risk may be a bridge too far. For Noga Rosenthal, chief privacy officer at Epsilon, the infamous breach at Target—caused by an HVAC vendor—is proof that it's impossible to foresee and secure every third-party risk.

“What I struggled with was that the vendor that allowed the attackers in was the HVAC vendor,” she said. “How do we stop that? Would I have [classified] that HVAC vendor as a high-risk vendor that is touching my data?”

“The HVAC vendor, to us, is a very scary scenario,” added Catherine Castaldo, global chief privacy officer at Nuance Communications. Coming from an organization that is both a vendor and has hired its own vendors, she noted that the onus is on companies, no matter what their function, to ensure that their cybersecurity protections are sufficient.

But for Andy Roth, partner at Cooley, the problem is that companies looking to mitigate all their cybersecurity risk will always run into the “tension between security and ease of access use. I see this a lot with high-growth companies who need to have a distributed workforce.”

So while companies may want to limit vendor or employee access to critical systems, that may be infeasible from an operational standpoint. “It wasn't the point that it was an HVAC vendor, because HVAC vendors need some kind of access,” he said. “The point was the connectivity—it needs to be structured in a way that limits the risk.”

2. Relationships: The Living Vendor Assessments

While many companies seek to assess their vendor risk through the use of surveys, questionnaires, and even technology that can monitor vendor networks and access, they may be forgetting one of the most important tools in third-party management: relationships.

For Patrice Brusko, senior vice president and U.S. chief privacy officer at TD Bank, it's vital for in-house counsel to come in early “to contract negotiations with vendors, and get to know the people who you are dealing with and who your business is going to be dealing with.”

“The day-to-day management of that relationship is what will make all the difference, especially when something goes wrong,” she said.

Brusko stressed that without established relationships, one cannot elicit a good understanding of how the vendor operates, their culture, and their capabilities.

“With the relationship piece and going through the early stages of that contract management, you get the rapport and insight you need, the type that doesn't always comes out in the risk assessments or security assessments or questionnaires,” she said.

What's more, building a good relationship with vendors also keeps lines of communication open should there be data security issues that need to be worked out, Brusko said, and ensures that each party knows the importance the other places on cybersecurity practices.

3. Startup Shock?

Depending on what industry and customer base an organization serves, organizations can often rely on vendors that are small companies or startups. Rosenthal, for instance, noted that her company has a large amount of “data vendors,” some of whom are startups that provide them with marketing information.

But working with startups still causes Rosenthal a fair share of worry. “I'm still seeing those startups collect data in a way that we would never, because we just think it's not privacy sensitive,” she said.

Rosenthal explained that such concerns stem from the fact that many startups haven't focused on complying with widely-held standards. “I think the reason they are doing this is because they are just trying to make it to next week.” They are not thinking about data privacy or their reputation, she explained. “So with startups and smaller companies, I tend to be more careful.”

But Rosenthal also noted that vendor risk management programs may represent opportunities to change these startups' behavior and better educate them on the need for cybersecurity best practices.

“It's funny, just two weeks ago we sent out our questionnaire to a vendor, and we've been a little nervous that some of our vendors will push back. But one vendor actually came back to us and said, 'Can we use your questionnaire for [our third parties]?'”