{"id":4583,"date":"2025-08-28T19:19:39","date_gmt":"2025-08-28T19:19:39","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4583"},"modified":"2025-08-28T19:19:39","modified_gmt":"2025-08-28T19:19:39","slug":"how-gainesville-regional-utilities-is-locking-down-vendor-risk","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4583","title":{"rendered":"How Gainesville Regional Utilities is locking down vendor risk"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Gainesville Regional Utilities (GRU) isn\u2019t just a utilities provider\u2014it\u2019s the communications backbone for the community. In addition to delivering electricity and water, GRU operates fiber-optic networks and uses smart grid and metering technologies to keep homes, businesses, and public facilities in the northern Florida city connected and running.<\/p>\n

Behind the scenes, these systems rely on a complex network of third-party vendors. From cloud service providers to equipment suppliers, these partners play a vital role in GRU\u2019s operations.<\/p>\n

But they also pose a potential cybersecurity risk.<\/p>\n

To address that vendor risk, the utility\u2019s IT security and compliance teams launched the Vendor Security Risk Assessment (VSRA) program in August 2023. The chief goal of the program is to make sure vendors with access to sensitive systems, data, or networks meet rigorous security standards as part of the vetting process.<\/p>\n

\u201cWe designed VSRA to make sure vendor relationships do not introduce vulnerabilities into our environment,\u201d says Walter Banks, CIO of GRU. \u201cSo the program kicks in early, before a vendor is onboarded, a contract is renewed, or the scope of a vendor\u2019s services changes.\u201d<\/p>\n

<\/a>What\u2019s inside the VSRA program<\/h2>\n

VSRA includes the following steps:<\/p>\n

Intake and triage<\/strong>: The requesting business unit submits an intake form detailing the vendor\u2019s responsibilities, the IT service involved, the types of data needed, and any required system access. The IT security team then conducts an initial risk triage.<\/p>\n

Detailed assessment<\/strong>: If the vendor poses a moderate or high risk, it must complete a security questionnaire and provide documentation such as SOC 2 reports, penetration test results, and security policies.<\/p>\n

Technical review<\/strong>: The security team evaluates how the vendor\u2019s service integrates with GRU\u2019s systems, covering categories such as data transmission and storage, access methods, and security controls.<\/p>\n

Vendor risk reporting<\/strong>: Following the review, the security team writes a report identifying risks and recommending mitigations. Any medium or high risks require formal acknowledgement by the requesting department\u2019s leadership.<\/p>\n

Centralized recordkeeping<\/strong>: All assessments and decisions are stored in a secure, centralized database for accountability and audits.<\/p>\n

<\/a>Initial resistance from vendors and internal leaders<\/h2>\n

The first hurdle in implementing the VSRA program was internal resistance from leadership, Banks says. Some GRU executives worried the program would add red tape to an already complex and lengthy procurement process.<\/p>\n

To overcome skepticism, GRU\u2019s IT team shared real examples with leadership of past vendor assessments<\/a>, both successes and incidents where inadequate vetting led to security vulnerabilities. The IT team explained turnaround times and how risk-based recommendations would work in practice.<\/p>\n

\u201cWe gradually gained leadership support and equipped them with the information they needed to communicate the program\u2019s benefits to the rest of the org,\u201d says Banks.<\/p>\n

Vendor compliance was another challenge, particularly with long-time partners that had never been asked for extensive security documentation. GRU addressed this by reaching out directly to vendors to explain how to comply with GRU\u2019s new standards. Additionally, GRU created a vendor scoring system that continuously monitors vendors\u2019 security posture for potential risks.<\/p>\n

\u201cOnce we addressed cultural resistance, vendor compliance, and documentation, all parties involved began to recognize the program\u2019s value,\u201d says Banks.<\/p>\n

<\/a>The impact: Decreasing vendor risk, increasing efficiency<\/h2>\n

Since launching VSRA, GRU has formally assessed 144 vendors, producing 32 risk exception reports. In two-thirds of those cases, GRU avoided the risk entirely by choosing alternative vendors.<\/p>\n

The program has also uncovered more than 70 medium- to high-risk vulnerabilities that might have led to data breaches had they gone undetected.<\/p>\n

Compliance has also improved. More vendors now provide SOC 2<\/a> reports, certifications, and documented security policies, helping GRU meet data protection requirements such as HIPAA<\/a> and lowering the likelihood of non-compliance penalties.<\/p>\n

Another win for GRU is that its vendor risk assessment process is simply more efficient now, says Banks.<\/p>\n

\u201cAutomating parts of assessments and adding a vendor risk database has led to faster responses to threats and cut manual work by 50%, freeing up team members to focus on more critical tasks.\u201d<\/p>\n

For its vendor risk assessment project, Gainesville Regional Utilities earned a <\/em>2025 CSO Award<\/em><\/a>. The award honors security projects that <\/em>demonstrate outstanding thought leadership and business value<\/em><\/a>.<\/em><\/p>\n

<\/a>Advice for security leaders: No shortcuts, no surprises<\/h2>\n

CIO Banks has learned a few lessons about managing third-party risk and offers advice for organizations considering a VSRA program.<\/p>\n

Seek external guidance:<\/strong> Banks suggests CIOs and CISOs talk to peers and industry organizations about vendor risk management before designing a program. Insights from these groups can help avoid \u201ceasy fixes\u201d that ignore the complexity of security threats.<\/p>\n

Make security part of the business case and be transparent:<\/strong> Weigh the risks and rewards of security programs and make sure there is a clear business case for vendor risk assessments. Communicate the business benefits clearly and frequently to leadership and other departments.<\/p>\n

Make assessments repeatable and non-negotiable<\/strong>: Apply the same risk assessment to every vendor. Repeatable processes ensure that vendors, equipment, and services are evaluated consistently. Making exceptions for certain vendors could introduce risk.<\/p>\n

Watch for red flags<\/strong>: Vendors unwilling to participate in risk assessments could signal deeper issues. In the early days of VSRA, a vendor reached out directly to a GRU business unit requesting an exemption from the VSRA process. Weeks later, that vendor suffered a malicious data breach. While the VSRA process would not have prevented the breach, says Banks, it highlights the importance of assessing risk before making commitments.<\/p>\n

<\/a>Safer utilities and communities, no exceptions<\/h2>\n

By baking risk checks into vendor procurement and keeping a constant eye on security vulnerabilities, GRU has cut down its exposure, improved compliance, and built a culture where everyone takes security seriously.<\/p>\n

As cyber threats evolve, GRU\u2019s experience shows that protecting critical infrastructure starts with knowing, and trusting, your vendors.<\/p>\n

For Banks, the message couldn\u2019t be clearer: \u201cVendors that want to continue doing business with your organization must meet your standards. Make no exceptions and stick to your principles.\u201d<\/p>\n

See How Award-Winning Security Leaders Do It<\/strong>
Gainesville Regional Utilities earned a 2025 CSO Award for its innovative vendor risk program. At the CSO Conference & Awards, you\u2019ll hear more real-world strategies like this\u2014directly from the executives leading them. Register now to join the event<\/a>.<\/em><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Gainesville Regional Utilities (GRU) isn\u2019t just a utilities provider\u2014it\u2019s the communications backbone for the community. In addition to delivering electricity and water, GRU operates fiber-optic networks and uses smart grid and metering technologies to keep homes, businesses, and public facilities in the northern Florida city connected and running. Behind the scenes, these systems rely on […]<\/p>\n","protected":false},"author":0,"featured_media":4584,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4583","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4583"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4583"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4583\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4584"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4583"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4583"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4583"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}