The Importance of Digital Vendor Management
As the digital landscape grows and changes, businesses rely on an increasingly sprawling network of third, fourth, and fifth parties to render final, consumer-facing content. Chris Olson, CEO at The Media Trust, explains why a sound digital vendor management strategy is so crucial not only for compliance purposes, but also for brand health.
The digital age breeds constant change – none more powerful than the availability of data and, more specifically, the ease of collecting and using personal data. For industry, this data has the power to both accelerate new opportunities for growth and act as an anchor to drag down momentum. In an era where businesses prize data and guard against its misappropriation, its troubling that this discernment doesn’t carry over to the digital environment, where countless third parties and partners on enterprise websites and mobile apps have access to personal user data, often without a company’s knowledge.
Impending regulations and the changing political landscape require a more cautious approach to the collection, use and sharing of personal data. Threats of not only hefty fines, but also long-term reputational damage induce enterprises to take a closer look at their own websites and mobile apps to understand exactly which partners execute code and which capture personal data. This basic knowledge — standard elements in a vendor risk management program — could very well be the key to mitigating future troubles if adapted for a digital-first economy.
The Legal Landscape
Thanks to more than 1,500 data breaches in 2017 alone that exposed more than 9 billion personal records and ongoing high-profile consumer data misuse, data privacy issues dominate today’s news headlines. Not just a flash in the pan, data privacy issues present critical, long-term challenges that affect both U.S. citizens and the U.S. economy.
The U.S. government has taken notice. Federal and state governments are instituting new data privacy laws that will include significant penalties against companies. California was the first state to enact a security breach notification law.[1] Following suit, the Illinois state legislature also passed a groundbreaking data privacy bill requiring internet companies and entities to clearly communicate to consumers about the collection of geolocation data, purpose of the data and with whom it is shared (e.g., business partners). Massachusetts state law mandates the technical, physical and administrative security protocols required to protect personal information, as well as a full-scale security program. Thus far, 48 states in all have enacted privacy laws requiring notification of security breaches involving personal information.[2] Echoing global initiatives, especially the EU’s GDPR, the trend to more closely govern personal data will continue.
The Digital Malaise
Despite new legislation and rising public sentiment, companies are not doing enough to secure data privacy according to PwC’s 2018 Global State of Information Security Survey (GSISS).[3] The report reveals that only 51 percent of respondents have an accurate inventory of what employee and customer personal data is collected, transmitted and stored, and only 53 percent require employees to complete training on privacy policy and practices. Clearly, enterprises are not aligning with government directives.
While efforts are being made to identify personal data sources across the enterprise, very few address the digital environment – specifically their own websites and mobile apps designed for public consumption. Many companies look to their IT departments to ensure that their website is operational, but many departments such as marketing, product, legal and more contribute to this digital environment. As a result, no one individual or department directly manages the entire corporate digital footprint. Making matters worse, the internet’s highly complex and dynamic environment means a host of third parties operating outside the IT infrastructure are relied upon to render final, consumer-facing content such as product research, price comparisons, recommended content, product reviews, social media feeds and more.
This is a serious problem in today’s changing regulatory environment. Third-party code accounts for between 50 and 78 percent of a typical website’s code base. While companies test their own code, they cannot see nor test code from those third parties that have unfettered access to the personal data of your digital consumers. Premier analyst firm Gartner projects these kinds of “shadow IT” sources to be the root cause of 33 percent of security problems by 2020. The lack of general digital oversight combined with third-party code poses significant security and legal risks for corporations.
Securing the Digital Environment
In this ever-changing digital morass, it is not enough for corporations to leave their digital risk to chance. Collaboration at all corporate levels — from the boardroom and security/IT to marketing, risk and compliance departments — is necessary to effectively govern digital assets. To avoid regulatory scrutiny, enterprises need to oversee this new frontier and update vendor risk management strategies to include the digital environment.
This digital vendor risk management plan should outline rules, technologies, procedures and best practices for all parties executing in websites and mobile apps, with particular attention paid to those third, fourth and fifth parties. Organizations need to discover and identify all active digital vendors and communicate their digital asset management policy, a process to inform partners of expectations and set parameters to measure compliance with relevant policy directives. With continuous monitoring, companies can proactively detect unauthorized digital activities, block code and remediate any damages with the offending vendor. In addition, a documented and operationalized process creates an audit trail.
A sound digital vendor management strategy is key to protecting personal data traversing the digital ecosystem unchecked. These steps can protect corporations from regulatory scrutiny while enhancing brand reputation and customer satisfaction. You have the power to protect personal data; wield it.
[1] https://content.next.westlaw.com/6-502-0467?transitionType=Default&firstPage=true&bhcp=1&contextData=(sc.Default)
[2] https://www.cyberadviserblog.com/2018/03/oregon-new-york-alabama-rhode-island-join-list-states-considering-data-breach-legislation-post-equifax/
[3] https://www.pwc.com/us/en/cybersecurity/information-security-survey.html