How to Improve Vendor Management: Insights from Charlie Miller, Formerly of Merrill Lynch
Charlie Miller, former director of vendor governance at Merrill Lynch, offers his insight on improving vendor management, including:
Miller provides advisory consulting services in the areas of outsourcing, privacy, information security and business continuity. He brings more than 20 years of experience in financial services, focusing on governance, risk and control. While at Merrill Lynch, Miller held key positions in the design and implementation of major global initiatives, including privacy and incident response, information leakage and data protection.
TOM FIELD: Hi this is Tom Field, Editorial Director with Information Security Media Group. We are talking today about vendor management and with us is Charlie Miller, a long time executive in financial services and security. Charlie thanks for joining me today.
CHARLIE MILLER: Thanks Tom, look forward to it.
FIELD: Now you have had some great roles in companies such as Merrill Lynch and Deloitte. Why don't you bring us up to speed with what you are doing now and the types of projects you are focused on?
MILLER: Recently I have just formed my own company, Charles R. Miller Associates, and we focus on information security, privacy and outsourcing and the controls that underlie that whole space. We are doing a lot of work right now with the shared assessments program that has been formed by the financial services industry in BITS and Santa Fe Group to look at third-party outsourcing relationships, making sure that you can look at the controls around those relationships and in a fairly efficient and effective kind of framework and timeframe. That is what we are working on Tom.
FIELD: Well I'm not sure if you could have found a busier subject area could you?
MILLER: It's a pretty significant space right now given some of the changes that we have had with the High-Tech Act and the ARRA in looking at other industry groups beyond just financial services. This has always been a focus in financial services obviously, but given some of the focus in healthcare and pharma with regard to this topic, it is a fairly hot area right now and a lot of issues, especially in the breach and information protection and notification and protecting the brand area, are really important right now.
FIELD: Let's talk about vendor management from your experience. What are the biggest challenges for financial institutions?
MILLER: There is several. If you look historically at vendor management it started primarily in an effort to reduce overall costs, looking at the cost infrastructure and the costs associated with various relationships and trying to get a consistent set of suppliers that would perform at an effective cost structure.
After that, the recognition moved into the information security space and all of the controls around the ISO standards were pretty quickly determined that needed to happen. It morphed into business continuity and supplier resiliency, which is kind of the focus right now and what we are working on with the shared assessments program is bridging it into the entire privacy and information protection space because that is an area that because of the changes in the landscape and around risk management profile, especially with regard to brand, everybody is pretty keen on making sure gets examined and is understood.
Lots of states have passed regulations and laws with regard to this topic, the 40 plus state requirements and notification in the event of a breach. It is a fairly complex landscape and I think everybody is looking for some consistency around how you basically do this and how you ensure that your third-parties are meeting the requirements as best as they can and that you have some comfort in that.
FIELD: Now what were you able to do in your experience to improve vendor management with your institutions?
MILLER: This is a cross-organizational effort so some of the challenges that you have, and some of the challenges that we had at Merrill Lynch back then, were just in identifying all of the various parties and the stakeholders that have a say in this. If you do that you will see that it is a fairly rich set of organizations that are involved in this, each having somewhat of a different touch point and different type of focus with regard to their vendor management relationships.
The key pieces are to make sure that you really understand what your specific requirements are from both a policy perspective, an internal policy perspective and also perhaps from a regulatory perspective. Typically it has to focus on the initial set up of the arrangements in terms of what you need to do to guarantee that the vendor is going to be around for some period of time; have a contractual relationship with that third party and then make sure that it is not just the one type of an event because you have an ongoing kind of relationship that continues to look at not just financial performance but the controls involved, and also key areas like service level performance. That is a very big area that has to be continually examined.
In many cases a lot of folks don't understand what the requirements are in this space so I think that it is really important that you educate each of the constituents as to what their responsibilities are and how they should be engaged and when and what types of activities they need to be engaged with.
FIELD: Clearly this is a topic that the examiners and the regulators have been talking about for a long time. What areas of vendor management still need the most work in your estimation?
MILLER: There is a continued need for some of the basic things around security vulnerabilities, internal to your own organization as well as externally at the third parties. We have seen lots of situations where everybody has reports done and identifies the seven or eight kinds of key vulnerabilities and these consistently get reported. Some of it is just fundamental things that need to get addressed and it is difficult in some of the cultures to basically get those addressed within your change management programs. That is something that I think is key.
I think the areas that we continue to look at are the privacy and the information protection space. The area that is really getting a lot of play and visibility both at the government level and in terms of the financial services institutions is the entire supply chain and what we need to be doing with regard to our software acquisitions and how we can ensure that suppliers of software are providing us with defect and bug-free software code that we are using within our own environments.
Those are some of the key challenges. One of the areas that is going to present challenges from a security perspective is the area around social networks. As the new workforce and generation enters the workforce, that is an area where there is a certain level of expectation that they will have access to and since it is still evolving it is an area from a security and risk perspective that we have to be very conscious of and look pretty closely at going forward.
FIELD: That's a really good point. You have the advantage to sort of be outside the day-to-day role and you can help other organizations. What advice do you give them when you are trying to help them get a better handle on vendor management? In other words, where do you start?
MILLER: You have to understand the requirements, know the stakeholders, start your program small and don't try and go after everybody at the same time. It is really key to establish a risk program that looks at your third-party relationships and in a very simple kind of way looks at those relationships from a risk perspective and appropriately deals with the types of control areas that you want to examine based on that risk.
That is they key area that you need to start at and make sure that you understand what that vendor is providing to you, as well as the risk associated with the work that they are doing for you. It could be fairly broad because you may have one or two vendors that are key in providing you with different types of work across many business groups. They may have different locations that they are performing work from so you have to understand what your risk profile looks like and where and how you want to attack those situations.
FIELD: Charlie at the outset of our discussion you talked about the BITS Shared Assessment Program and I would love to get your thoughts on the program and specifically how it works. Does it work for institutions of all sizes?
MILLER: This was started a couple of years ago and it has evolved over some period of time, initially starting with the financial services institutions and evolving fairly well across a larger set of institutions within financial services. We see that a lot of the companies, especially large third-party vendors, have adopted this and are able to achieve some fairly significant results by using the shared assessments program when they are asked by their clients to have them come onsite and do a control review or to get information that is typically done from a proprietary perspective.
We see that many of our larger institutions are able to push back and get a 95% acceptance hit ratio when they push back with the shared assessments program. That is the larger space. One of the things that we recognized last year was that it is a program that historically was driven at the larger complex installations. Last year we began to look at a broader set of institutions that are of less complexity and that is the area that we continue to try and make strides in terms of getting this adjusted so that more institutions can use it across a broader set of industry sectors and leverage that in their programs to be able to get an efficient program in place rather quickly that they can use again and again.
We still have challenges now on the adoption, especially in large institutions where their processes have historically grown up and they have integrated home grown solutions into those vendor management solutions. It is continuing to be challenging but we know that there are issues and we know that we are working pretty diligently around how do we get this right-sized for a larger set of companies and get a better adoption rate in some of those smaller institutions where we have equal risk. The risk is not diminished; it is just that the controls may not be looked at as diligently because of the amount of resources that you have to go after them. We realize that and we have to continue to work at that.
FIELD: What is it going to take to gain traction with the smaller institutions? Is it merely a matter of outreach?
MILLER: We have a fairly good hit ratio on our Web site, www.sharedassessments.org, and all of this material that we have developed through the shared assessments program is free.. So you can go to that Web site, download that information for free and take a look at what we have done as part of the membership of the shared assessments program and how we are building that out. It is more about getting the word out to a broader set of institutions in terms of how they can leverage this. We had 7,500 or 8,000 hits on our Web site last year so I think a lot of people are looking at it and are interested in this space.
It's not only about how we get the word out and make sure that people know it, but also about the right kind of usability guides and how you get the program up, established and running. We are working pretty closely with our membership group to come up with some user guides to get the program more documented so that a broader set of smaller institutions can look at.
FIELD: Charlie, step beyond vendor management for a minute. What do you see as some of the top information security risks for financial institutions right now?
MILLER: There is continued focus on data loss and data breaches so that is a problem. Even though a lot of work has been done, that continues to be one of the key areas that we have to address. Information protection focused around identity theft is key, and has a direct impact on the consumers, which is probably where you want to make sure you are protecting. It has a significant damage to your brand.
The other piece that is interesting is supply chain and making sure that we don't introduce too many bugs into the code that we are buying from our suppliers. That is an area that we really have to continue to focus on as well.
FIELD: Charlie, last question for you and it is career related. You know you have had the fortune of being able to move beyond Merrill Lynch and Deloitte, and you have established your own firm now. For security leaders that are starting to look around and wonder what is next in their careers, what advice do you give them? What did you do when you started to look around and think what is next?
MILLER: It is really a good opportunity for you to take a step or two back and look at the landscape out there. You can basically understand that the challenges affecting most institutions are pretty significant. If you are an established individual in an organization that you have gotten a lot of traction around and are looking for a change, it can be leveraged across a much broader set of companies.
Look for opportunities that match what it is you want to do because you do have an opportunity to wait and see how well it fits, so to speak, your particular requirements. Don't rush into something. Take a breath and look at what is going on within the industry; there are opportunities that will present themselves for sure.
Make sure that when you do look and select that the culture of the organization you are working with aligns with your own so that you are not going in with a mismatch in terms of what the expectations are and what the realities are given that company's situation. Guarantee that you have some level of support as you move forward. These are not insignificant issues that you are addressing and they strive. They head at all areas of the companies so I think it is important to have a set of support mechanisms in place and identified up front when you are going into that situation.
Challenges are significant. Opportunities will present themselves. Make sure that you have the right support when you get there.
FIELD: That is a good point about the culture. That is one of the things I think gets overlooked all too often.
MILLER: That is where people probably find themselves getting into a situation and then ultimately saying this isn't right for me.
FIELD: Charlie I appreciate your time and your insight today.
MILLER: Tom thanks a lot and I appreciate your reaching out.
FIELD: We have been talking with Charlie Miller. The topic has been vendor management. For Information Security Media Group, I'm Tom Field. Thank you very much.