Third-Party Service Provider Diligence: Why are we doing it all wrong?

Presented at BSidesLV 2014, Aug. 6, 2014, 3:10 p.m. (30 minutes)

The demands of Third Party Service Provider vendor due diligence and compliance management are growing rapidly in light of increased emphasis on these programs by regulators as well as outsourcing to reduce operational costs. Historically vendor diligence programs have not adequately and consistently addressed proactive identification of potential risks, ongoing competence of third party service provider, and production of a vendor management program that truly aligns with business strategies, identifies the risks commensurate with the complexity of the business environment, and produces a clear measure of the effectiveness of the provider. In addition, service providers suffer under the burden of the sheer number of diligence questionnaires, lack of consistency in them, inconsistent workload, and resource conflicts with compliance and sales efforts. Diligence response is potentially labor intensive with the possibility of providing no return on the investment. Aimed at third party service providers and businesses with vendor diligence programs, this presentation looks at case studies from real service providers and their customers to exemplify the ways that traditional vendor management fails to meet the objectives of today's business and the regulatory environment. It then proposes a means to rectify these failures and evolve vendor due diligence programs to the next step. Participants will learn how to establish the goals of the vendor diligence program, understand the scope of the product and its potential impact on their environment, define a central body of knowledge, address only what is important, and iteratively evolve their diligence process to provide a more valuable product in less time.


  • Patrice Coles
    Patrice Coles works for a large service provider with multiple products lines where she manages compliance and customer vendor due diligence response. Her areas of expertise include building and growing compliance and vendor response programs from scratch for startups, service providers, and Fortune 50 companies. Her master's degree in Information Assurance, coupled with a 15-year history of consulting, building and implementing IT audit and controls programs, performing QSA and regulatory audits, and working for multiple service providers, affords her the experience to design and implement real-world solutions to today's compliance, regulatory, and vendor management needs. Patrice holds CISA, CRISC, and GSNA certifications, has authored articles for Pen Test Magazine, and is working on a curriculum to address the gaps in IT audit and controls education. She is currently leading an effort to implement a vendor response program to increase diligence availability to sales and support staff, reduce customer and prospect diligence turnaround time, and create self-service mechanisms where possible.