How to Staff Your Third-Party Risk Management Team
Third parties, also known as service providers, vendors, or suppliers, are playing an increasing role in most organizations today. They have become key partners. However, since they are outside of your direct control, you need insight and visibility into the steps they are taking to protect your data.
This is where having an established Third-Party Risk Management (TPRM) process is critical. TPRM is a form of risk management that focuses on identifying and reducing risks relating to the use of third parties.
You need more than a process to perform effective risk management - you need a specialized team to do the actual work.
This article will help get you ready to staff your new team by covering factors to consider when working through the onboarding process including:
- Qualifications for members of the team
- Helpful industry certifications
- Interview questions
Staff Qualification for Third-Party Risk Group
Once the third-party risk management framework is in place, it is time to start recruiting individuals for your TPRM team. At this point you need to identify the qualifications and level of experience desired.
It is important to keep in mind that to be successful, Individuals will need a broad array of skills.
Hard Skills vs. Soft Skills
Hard skills:
- Knowledge of specific technical security controls
- Ability to identify gaps between a vendor’s cybersecurity program and internal company governance requirements
- Familiarity with industry standard questionnaires such as SIG, CAIQ, VSA, etc.
- Ability to triage and prioritize risk based on impact and likelihood
- Ability to review vulnerability scans
- Review and understand penetration test results
- Understand SOC 2 reports
Soft skills:
- Strong writing and editing skills - Ability to write concise assessment reports and risk summaries
- Strong project management and time management skills
- Effective verbal communication of risk to internal business stakeholders
- Negotiation skills to reach agreement with third-parties on risk remediation timelines
Communication Is Key
Especially important is the communications aspect to ensure broad understanding of the issues and effective remediation follow up. Read 3 Ways to Improve Your Communication Skills to learn about ways to improve your communication skills.
You need individuals that effectively perform vendor assessments and determine the key risks associated with each vendor engagement. They will need to work closely with internal stakeholders and external vendors to develop recommended remediation plans and track resolution status.
In the end, a balance of these hard and soft skills would position your candidate for success and often yields the best results.
Key Industry Certifications
There are a number of industry standard certifications to be aware of when reviewing candidates. Some provide very targeted validation of skills needed for third-party vendor assessments while others are geared toward demonstrating broad competence in the Information Security or Audit/Compliance space.
- Certified Third-Party Risk Professional (CTPRP)
- Certified Third-Party Risk Assessor (CTPRA)
- Certified Information Systems Security Professional (CISSP)
- Certified in Risk and Information Systems Control® (CRISC®)
- Certified Regulatory Compliance Manager (CRCM)
- Certified Enterprise Risk Professional (CERP)
Details on these specific certifications can be found in the 6 Key Certifications For Your Third Party Risk Management Team article.
Candidates who have earned one or more of these certifications have demonstrated a level of knowledge as well as follow through. These factors can help differentiate candidates and be a deciding factor in your hiring decisions.
Interview Questions
When evaluating candidates you want to ask a broad array of questions. By asking the same set to each candidate you can get a more effective comparison of skill sets.
You also want to consider asking questions that touch upon both the hard skills needed for the job as well as the soft skills essential to building and maintaining relationships.
Evaluate Your Candidates
To help you with the process, here are a few interview questions to consider asking when you evaluate TPRM candidates:
- What is your experience with questionnaires such as SIG, CAIQ, VSA
- Describe the onboarding process for new vendors
- What are the key artifacts you would review as part of an assessment
- Explain the importance of taking a risk based approach to third-party assessments
- Provide some examples of gaps in vendor security controls found during your prior assessments
- Discuss some negotiation strategies to consider when a vendor initially refuses to remediate a risk
- What contract security related provisions do you recommend be included in a typical vendor contract
- How frequently should vendors be assessed and why
- What methods can be employed to track vendor security posture in between formal assessments
- Explain how you resolved a situation where your internal business stakeholder wanted to close out an assessment and move forward with the engagement even though there were still significant unmitigated risks
In Summary
Companies are increasingly concerned about third-party risks and are taking the necessary steps to address those risks including having a TPRM group. A TPRM group’s responsibilities range from third-party risk identification, monitoring for regulatory risk as well as verifying that third parties conform to policies and procedures.
Experienced staff are essential to meeting these goals. A balance of risk management skills and experience levels helps to create a cohesive and effective team.
If you have any questions or need additional info, please contact me.
Christine has 15+ years in the technical industry developing software, leading teams along with extensive experience as a hiring manager. She found that she really enjoyed the process of building teams and interacting with candidates and business customers. As a result, Christine decided to make the hiring process her focus and started Vector Recruiting.