Vendor risk management (VRM) is the practice of evaluating business partners, associates, or third-party vendors both before a business relationship is established and during the duration of your business contract. This is a difficult—albeit necessary—process all companies should go through when they enter into a third-party relationship.
Ideally, organizations going through this process might inventory their vendor relationships, determine and categorize the risk that each vendor poses, delegate organizational ownership of the risk, institute contractual protection against that risk, and then create an ongoing assessment program to monitor, audit, or review how well the supplier is complying. Traditional assessment programs often involve risk assessments, questionnaires, audits, penetration tests, and vulnerability scans.
While these traditional methods do help organizations examine the risk each vendor poses, they aren’t without their flaws—and those flaws must be taken into consideration.
Below, we’ll take a look at four issues these traditional strategies bring about.
4 Reasons Traditional Vendor Risk Management Strategies Fall Short
1. They’re time-consuming.
Organizations typically have a set of risk tolerances and a number of cybersecurity controls they care about—so they create and send out questionnaires to their third-party suppliers to determine if the vendor can handle the areas of risk they care about. Responding to these questionnaires and validating the vendor’s cybersecurity posture takes a great deal of time for both parties. There are some industry-accepted standards for questionnaires that make this easier, but the process is still intensive.
2. They offer an incomplete picture of the risk.
Traditional VRM methods are particularly tricky because they are only valid for and representative of the vendor’s security at a singlepoint in time. For example, if your company reviews a third party’s data security controls and finds them satisfactory, the good feeling you’re left with is only valid until you walk out the door. Furthermore, traditional VRM tactics are often subjective by nature. If a first party asks a vendor if it has an effective change management program in place, the answer is reliant upon the respondent's definition of “effectiveness” and his knowledge of the change management program.
3. They’re not actionable.
Once you’ve gone through traditional VRM tactics like a thorough assessment, you may have an overall feeling about the cybersecurity posture of a vendor. But it can be difficult for the recipient of a vendor assessment to fully make sense of the information received and act on it in a way that will protect their organization and its data. So while a great deal of time is spent identifying possible vendor risk issues, not enough time is spent addressing those issues.
4. Compliance doesn’t equal security.
Ensuring that your vendors are doing what you’ve asked of them is a fine step to take—and as we mentioned above, it’s important. But you must also understand that having your vendors check off a box doesn’t mean that they’re properly securing your data. In other words, even if your vendors comply with your policies, security incidents can still occur on their network—and it can impact your data. Your ultimate focus should be on vendor risk management, not simply on vendor compliance. While compliance is a solid short-term goal, vendor risk management is an ongoing practice that shouldn’t be understated.
While it’s clear that traditional vendor risk management strategies are inadequate in today’s risk environment, there are a number of things you can do to make risk management easier. The free ebook highlighted below discusses several emerging vendor risk management strategies and technologies and provides insight on how to make the VRM process simpler and more effective; download it today!