This ebook contains five actionable steps that will put you well on your way to establishing an effective third-party risk management (TPRM) program.
The world of procurement has been fundamentally changed by the introduction of technology. Source-to-pay software has brought digital workflows and automation to time-consuming processes like creating RFPs, managing contracts, and remitting payments.
These programs are designed to make the day-to-day work of procurement professionals easier, and they may even help improve sourcing from a strategic perspective. However, most source-to-pay applications don’t offer tools to support a very important component of procurement: the vendor selection process.
Conducting due diligence on potential vendors is more important than ever. Recent data breaches caused by vulnerabilities in vendor systems have put third-party cyber risk in the crosshairs of Boards of Directors and regulators. Thorough due diligence on the part of the procurement team can mean the difference between a beneficial relationship and hundreds of millions of dollars in losses and fines.
Thankfully, there are a number of software tools and websites that have emerged to support the vendor selection and due diligence function. Let’s explore a few tools that every procurement professional should have in their toolbox.
BitSight Security Ratings
BitSight Security Ratings are a data-driven, dynamic measurement of an organization’s cybersecurity performance. These ratings are derived from objective, verifiable information and are created by an independent organization. They take the form of a number ranging from 250 to 900.
Unlike cyber risk assessments, penetration tests, and other methods for understanding an organization’s cyber risk, BitSight Security Ratings are automated and continuously updated.
Say you’re deciding between five unique suppliers. In the past, the time and effort it would take to perform individual cyber risk assessments for each supplier was prohibitive, and resulted in cybersecurity being excluded from the vendor selection process. With BitSight Security Ratings, a procurement professional can simply log into the BitSight Platform, run all five suppliers’ names, and generate an instant report based on their real-time ratings.
BitSight Security Ratings are the only security ratings that have been independently proven to correlate with actual cyber risk, so you can be confident that the supplier with the highest rating is actually less likely to experience a data breach than the others.
It used to take weeks to complete vendor assessments. Now it takes us hours.”
— Michael Christian, Information Security Manager of Cyber Risk and Compliance, Cabela’s
We’re all used to searching for user reviews before booking a hotel or going out to dinner. What may be less familiar is using reviews before signing a big-dollar vendor contract.
However, the Yelp model has been successfully applied to the world of B2B vendors. Popular review sites include Capterra and Gartner Peer Insights, which both focus on software, and G2 Crowd, which also includes services.
These sites offer a unique window into how vendors have performed for their clients, and can be especially useful when attempting to understand the quality of a potential vendors’ customer service.
Another review site which may provide insights for procurement professionals is Glassdoor, which allows employees to rate how much they liked working for a company. If a vendor is producing angry or burnt out employees, then they may not be the best fit for your organization. Bad employee reviews may even represent a security issue.
Code Verification Tools
In a world where 96% of applications contain open-source software, the threat of malware in third-party tools is very real. As a result, software vendors should be subject to additional scrutiny as part of the due diligence process.
When a software vendor is allowed to access your organization’s sensitive systems and data, their vulnerabilities become your vulnerabilities. Ticketmaster was one victim of malicious code injected into vendor software; after a support chat tool was breached, Ticketmaster customer data was compromised.
One way to eliminate this kind of risk during the vendor selection process is to use a code verification tool like Veracode, which scans software to identify potential vulnerabilities. This tool can be used to scan your entire software vendor ecosystem, and positive verification can become a requirement prior to signing a contract with any new software vendor.
Part of deciding whether a vendor is the best fit for your business is determining how much risk they’re exposing you to — whether that risk is operational, reputational, financial, or cyber-related. Using software tools like the ones described above can help speed up these risk analyses, making your business safer and your vendor relationships smoother.