4 Must-have Best Practices for Better Vendor Risk Management

Brian Thomas | January 28, 2021 | tag: Cybersecurity

Vendor risk management is top of everyone’s mind in light of the recent SolarWinds supply chain attack and concerns around weak points in the COVID-19 vaccination supply chains. Both exemplify the need for organizations of all types to take steps to fortify their vendor risk management processes.

Of course, that’s easier said than done, especially as supply chains continue to grow. According to Gartner, 60% of companies work with more than 1,000 third parties. When supply chains are that extensive it can be challenging for even the most vigilant organizations to have complete visibility into the security postures of all of their partners

To make things a bit easier, we’ve put together a list of four best practices that every organization should follow as they look to strengthen their vendor risk management practices. 

1. Continuously monitor third-party vendors

Traditional point-in-time cyber security assessments don’t tell the full story of a vendor’s potential for risk. They only give organizations a brief snapshot in time and thus provide poor and incomplete visibility into security risks. Plus, they can be time-consuming to complete and in many cases biased, whether intentionally or unintentionally.

Continuously monitoring third-party vendors is a much more complete and accurate way to gauge a vendor’s true security posture. Through continuous monitoring, organizations can be immediately alerted to any potential vulnerabilities throughout their entire supply chain. When these weaknesses are exposed, security teams can react quickly and focus their efforts on mitigating these exposures in near real-time. There’s no need to wait for an out of date, once a year security assessment.

With continuous monitoring, companies can also deliver periodic risk reports on individual vendors or in aggregate. They can use these reports to gain an accurate representation of their vulnerabilities and strengths at any time. 

This can be a particularly useful practice in the wake of a major supply chain attack, such as the SolarWinds incident, to ensure that there have been no hard to detect intrusions within third parties.

2. Use security ratings to gauge risk

When it comes to continuous monitoring, security ratings can be an indispensable tool. Security ratings measure the performance of a company’s overall risk management capabilities, with a higher score indicating a better approach (and more trustworthy organization). 

BitSight offers the only independently verified security ratings database. In fact, according to AIG Research, a company’s BitSight security rating can be used to reliably predict a company’s future security performance. For example, an organization with a security rating of 400 or lower is five times more likely to experience a breach than a vendor with a rating over 700. You can use these easy to understand cyber risk metrics to determine where your weakest links are and make better decisions about which vendors to use.

3. Tier vendors to expedite onboarding practices

In the ongoing effort to become more agile and high performing, management teams are looking for ways to expedite the onboarding of new vendors —but that can’t be done at the expense of good security hygiene. It’s still important to perform accurate and thorough cyber risk assessments, but the typical onboarding processes—involving pages of documentation and checklists and months of manual assessments—doesn’t work in today’s business environment.

No two vendors of the same, and tiering vendors in terms of their criticality to the business can help organizations prioritize their partners based on their unique tolerance for risk. For example, a vendor that handles payroll data will likely be riskier than a partner that does not have access to an employee’s personally identifiable information. 

This type of prioritization can help companies streamline their assessment processes and focus on the companies that need the most attention.

4. Validate vendor responses with data mapped to security frameworks

Although continuous monitoring is an important best practice, there will always be a time and place for security compliance questionnaires, especially at the outset of a third-party engagement. But there is also inherent risk in trusting this point-in-time data and the feedback that a vendor provides. 

As the old axiom says, “trust, but verify.” One way to do this is by validating vendor responses with data mapped to established cybersecurity frameworks. Many of these frameworks, such as FISMA, call for continuous monitoring to establish good vendor risk management practices. Data gleaned from security ratings, which are determined through continuous monitoring, can be used to establish whether or not third parties are in compliance with these frameworks. 

Following these best practices will help organizations shore up their vendor risk management processes, making them more secure, streamlined, and stronger. 

For more information about how to improve vendor risk management, download our free ebook, Revolutionize Your Vendor Risk Management Strategy.

3 Ways to Make Your Vendor Lifecycle More Efficient

Suggested Posts

What’s Most Notable in Biden’s Cybersecurity Executive Order?

In light of recent significant attacks targeting the U.S. government, the Biden administration issued an Executive Order (EO) on cybersecurity on May 8, 2021.

Overall, the EO starts to fill in some critical gaps in US government...

READ MORE »

BitSight Observations Into Hafnium Part Four: Who Is Still Vulnerable?

The unfolding Hafnium attack is the latest event in the trend of cyber events. CISO’s are starting to recognize that enterprise cyber security is being redefined to mean me and all my suppliers, or  the combination of first and third party...

READ MORE »

Should Security Ratings Require Independent Verification?

As a recent Forrester report highlighted, there are many cybersecurity ratings available. Security ratings have a valuable place in your overall cyber risk mitigation strategy, for many reasons.

Not all security ratings are equal though.

READ MORE »

Subscribe to get security news and updates in your inbox.