Is your vendor management currently manual or do you use tools?

Primarily is manual. On the security side, managing the compliance is done via 3rd part tool that has Integration with some of our vendors and manages the compliance/security automatically.

Security reviews come through my team, so we end up being a bottleneck for the company when they want to bring in different vendors, services, or products. We're trying to do the best we can, but with manual processes, it's never going to be that great. We are looking at different products to automate this and make it a much more robust process where we do reviews annually, alerts go out, and different business units take care of it.

As a CISO in my company, I don't have all the relationships with the IT vendors. The CTO would have a lot, but there are business units that have their own relationships with these IT vendors as well, because we have large technology arms. What we are good at is keeping access to our operational network very controlled. So it's not like the wild west, but we have improvements to make.

You have to implement a whole framework, and it's not that we don't have any of it in place. It's just more manual than it should be. If we find out that they're trying to implement something we have to tell them, “Hold on, that has to come back through the security department.”