Vendor risk management is an incredibly complicated process. While some methods are much more efficient than others, there is no consensus on how all organizations accurately manage vendor risk. Every organization has a different maturity level in their third-party risk management program. We generally see that organizations measure vendor risk in five different levels, each with an increasing level of security:
- Nothing at all
- Contract verbiage only
- Audit check only (SOC 2)
- Spreadsheet Security Questionnaire
- Vendor risk management platform
#1 Nothing at all
This group doesn’t measure vendor risk at all. Some are in the beginning phases of their security program and have not started thinking about their vendor risk. They’re still figuring out how to measure their own risk. Many do not have the in-house expertise to begin measuring vendor risk. There are a few in this group who incorrectly believe that by not knowing the actual risk of their vendors, they are not liable for any issues.
#2 Contract Verbiage Only
These organizations do not have time to measure the risk of their vendors, but they know something needs to be done. Instead of spending an incredible amount of time measuring vendor risk, they instead add verbiage to all vendor contracts to state that the vendor must add all necessary security measures to protect the customer data from unauthorized access. These organizations believe that they would at least be covered from a legal standpoint if a compromise were to occur at the vendor organization.
#3 Audit Check Only
In addition to adding security requirements within vendor contracts, some organizations also request completed audit reports from the vendors. These audit reports may be a SOC 2 Type 2, HITRUST, or countless other audits. The organization reviews the audit report for any glaring issues, puts a check in the “review box”, then archives the data.
#4 Spreadsheet Security Questionnaire
The infamous vendor spreadsheet security questionnaire. On the positive side, this is so easy to start. All an organization needs to do is open up their favorite spreadsheet application, put their company logo at the top, type out a list of security questions, and email it to all of their vendors. While this seems easy at first, everything afterwards gets complicated. After the vendor completes the questionnaire, the organization needs to determine risk level for the vendor. There are usually a number of internal meetings and then follow up questions for the vendor and additional requests for vendor documentation. Finally, after countless hours, a consensus is reached and the organization decides whether or not to use the vendor. Afterwards, sometimes the executive leadership within the organization will simply accept any risk level just to do business with the vendor. So many organizations have this spreadsheet process, that vendor are just used to this inefficient method of measuring risk and have teams dedicated to answering different questionnaires for every customer. After this entire process is complete, the customer knows the vendor risk for a single point in time and must decide whether to repeat this entire process a year later to get an up-to-date measurement of the vendor.
#5 Vendor Risk Management Platform
As the vendor risk management process begins consuming an immense number of internal resources, many organizations determine that it makes more financial sense to purchase a solution to manage vendor risk. These solutions vary greatly in cost, efficiency, and accuracy. At least the organization can now utilize their internal resources on other tasks.
There are five basic methods for measuring (or not measuring) vendor risk. The methods vary in efficiency and security. Even within these methods, the approaches and solutions vary in accuracy. At Stern Security, we have worked with companies at all stages and could not recommend any of these options or any existing vendor risk management platform to customers. That’s why we created Velocity – the world needed an efficient and accurate vendor risk management solution. The Velocity platform utilizes passive reconnaissance and precise questionnaires which are all verified by an actual human analyst for accuracy. When a vendor completes an assessment, they can share the results with any of their customers that utilize Velocity. Everyone gets time back in their day and security is increased with Velocity.
For a look at how Velocity helps companies manage their security posture and vendor risk: