Partnership Over Process: Mark LoGalbo’s Strategies for Refined Vendor Risk Management

Reading Time:

Is vendor risk management an art, a science, or a function of experience? “All three,” says Mark LoGalbo, VP of Information Security at Fanatics Holdings, Inc.

Experience is crucial in dealing with the complexities of vendor relationships and risk assessments, and Mark has plenty of it. He has been a cyber security professional for over 23 years and spent nine years in the military, policing, and physical security.

Mark recently shared his insights on vendor risk management in an interview with Dan Haagman, CEO of Chaleit. His approach emphasises the need for streamlined processes, honest partnerships with vendors, continuous monitoring, and a balance between security requirements and business needs. 

Watch the interview and read the key takeaways below about the art and science of vendor risk management.

Mark LoGalbo

We throw pre-canned questionnaires at vendors and just expect many questionnaires back. This approach fails to address deeper, more systemic issues that can lead to security vulnerabilities and breaches.

The current state of vendor risk management

As organisations continue to rely more heavily on third-party vendors, vendor risk management has become crucial in cyber security. However, it often doesn’t receive enough attention for meaningful improvements, Mark believes.

He notes that many organisations treat it as a checkbox exercise, relying on standard questionnaires without spending time to understand actual risks. 

“We throw pre-canned questionnaires at vendors and just expect many questionnaires back. This approach fails to address deeper, more systemic issues that can lead to security vulnerabilities and breaches,” Mark explains.

He advocates for a more nuanced approach, suggesting that assessments should go beyond these formalities. Instead of relying on lengthy questionnaires, Mark recommends more dynamic and streamlined methods focusing on vendor security’s critical aspects.

Effective vendor risk management should be about balancing risk and reward, supporting the business without becoming a roadblock.

A vendor’s willingness to acknowledge and manage existing security weaknesses demonstrates a more mature information security program.

Building partnerships with vendors

A partnership approach with vendors is more beneficial than an adversarial relationship. Mark believes in having honest conversations and understanding that no security program is perfect.

“This is a partnership. We’re not expecting your program to be perfect. We would love it if it were, but I still have not seen a perfect information security program from anybody,” he says.

A vendor’s willingness to acknowledge and manage existing security weaknesses demonstrates a more mature information security program. 

By being upfront about their shortcomings, the vendor showcases both their ability to identify risks and their proactive approach to mitigation, Mark explains. This transparency is key, suggesting a comprehensive risk program with ongoing monitoring and management. 

He shared that at Fanatics, they have streamlined their processes to be more vendor-friendly, reducing unnecessary bureaucracy and focusing on what truly matters. This approach not only benefits the vendors but also ensures that the organisation can respond quickly and effectively to potential risks. 

Streamlining vendor assessment and continuous monitoring

Streamlining and continuous monitoring are critical aspects of Mark’s approach to vendor risk management.

Besides doing preliminary research on vendors, including checking their websites and using cyber security rating platforms to identify potential red flags, the vendor assessment process should include the following:

  • Focus on critical questions specific to the vendor’s solution
  • Use attestations to get vendors to confirm they have adequate controls in place
  • Verify cyber liability insurance
  • Check for compliance certifications like ISO 27001 or SOC 2 Type 2

He stressed that initial assessments should not be the end of the process. Instead, ongoing evaluations should ensure that vendors maintain their security standards.

  • Be realistic about available resources and focus on critical vendors
  • Use automation to identify red flags
  • Set parameters for alerts based on changes in vendor security posture
  • Integrate monitoring results into a GRC (Governance, Risk, and Compliance) platform

 Mark highlights the vast difference in information security maturity among vendors.

Ideally, vendors have a dedicated information security team, demonstrating a proactive approach. However, some lack such resources, so it’s important for organisations to have their own control frameworks and supporting evidence to be prepared for potential issues.  

I’m constantly thinking of risks as a practitioner; my business is thinking of rewards, and I need to balance those two.

Balancing risk and business needs

Balancing security requirements with business objectives is a constant challenge for security leaders. Security teams must be mindful of business timelines and the potential for security processes to be seen as roadblocks.

“We’re always being told: support the business, support the business,” Mark notes. “I’m constantly thinking of risks as a practitioner; my business is thinking of rewards, and I need to balance those two.”

Mark suggests that security teams should aim to be enablers rather than obstacles, working closely with business units to understand their needs and find solutions that meet both security and business requirements.

Vendor management professionals are generally highly professional and passionate about their roles, in Mark’s experience. However, he emphasises the need for these professionals to balance thoroughness with practicality. Instead of exhaustive reviews that delay business processes, he prefers more targeted assessments that focus on the most critical risks.

He admits to the pragmatic nature of his role: “Sometimes we look at risk management too much as a science. We complicate things, and I personally like to try and keep things simple.” 

Vendor risk management is sometimes about the art of coming up with a “pretty, nice, and easy” solution that gets the job done, he concludes.

At Chaleit, we also believe in blending experience, streamlined processes, and genuine partnerships. By taking a proactive approach and focusing on aftercare, we support organisations in balancing security needs with business goals.

For more in-depth strategies and expert advice, visit the Chaleit blog and YouTube channel. Let’s connect, and feel free to contact us to speak with our experts about your cyber security and vendor management challenges.

Ready to transform your organisation's security posture while driving business growth?

  • This field is for validation purposes and should be left unchanged.

Recent Posts