Third-party security vetting: Do it before you sign a contract
If you’re talking about stopping security risks from an outside vendor already on-board, Jerry Archer says, “You’ve already failed.” Chief security officer for Fannie Mae, Archer contends that risk mitigation should begin before your company closes the deal. That’s why his team has a go or no-go vote for any vendor Fannie Mae brings on. That’s not restricted to vendors IT typically oversees, like authentication tech or API gateway services. Not a single tool is onboarded by any department without security’s approval.
With more than 200 vendors total, that task isn’t easy. Archer says companies approach HR or another department, showing them “the shiny new gadget. They need it. They must have it.” The team that will use the software isn’t thinking about security, just functionality. Archer says they tell IT, “‘We can’t succeed without it.’ We all know that in our hearts that’s not necessarily true, but the fact is, people get emotionally tied to stuff and politically tied to it.”