Vendor Risk Management

4 Reasons Traditional Vendor Risk Management Strategies Fall Short

Melissa Stevens | February 2, 2017

Vendor risk management (VRM) is the practice of evaluating business partners, associates, or third-party vendors both before a business relationship is established and during the duration of your business contract. This is a difficult—albeit necessary—process all companies should go through when they enter into a third-party relationship.

Ideally, organizations going through this process might inventory their vendor relationships, determine and categorize the risk that each vendor poses, delegate organizational ownership of the risk, institute contractual protection against that risk, and then create an ongoing assessment program to monitor, audit, or review how well the supplier is complying. Traditional assessment programs often involve risk assessments, questionnaires, audits, penetration tests, and vulnerability scans.

While these traditional methods do help organizations examine the risk each vendor poses, they aren’t without their flaws—and those flaws must be taken into consideration.

Below, we’ll take a look at four issues these traditional strategies bring about.

4 Reasons Traditional Vendor Risk Management Strategies Fall Short

1. They’re time-consuming. C

Organizations typically have a set of risk tolerances and a number of cybersecurity controls they care about—so they create and send out questionnaires to their third-party suppliers to determine if the vendor can handle the areas of risk they care about. Responding to these questionnaires and validating the vendor’s cybersecurity posture takes a great deal of time for both parties. There are some industry-accepted standards for questionnaires that make this easier, but the process is still intensive.

2. They offer an incomplete picture of the risk.

Traditional VRM methods are particularly tricky because they are only valid for and representative of the vendor’s security at a singlepoint in time. For example, if your company reviews a third party’s data security controls and finds them satisfactory, the good feeling you’re left with is only valid until you walk out the door. Furthermore, traditional VRM tactics are often subjective by nature. If a first party asks a vendor if it has an effective change management program in place, the answer is reliant upon the respondent's definition of “effectiveness” and his knowledge of the change management program.

3. They’re not actionable.

Once you’ve gone through traditional VRM tactics like a thorough assessment, you may have an overall feeling about the cybersecurity posture of a vendor. But it can be difficult for the recipient of a vendor assessment to fully make sense of the information received and act on it in a way that will protect their organization and its data. So while a great deal of time is spent identifying possible vendor risk issues, not enough time is spent addressing those issues.

4. Compliance doesn’t equal security.

Ensuring that your vendors are doing what you’ve asked of them is a fine step to take—and as we mentioned above, it’s important. But you must also understand that having your vendors check off a box doesn’t mean that they’re properly securing your data. In other words, even if your vendors comply with your policies, security incidents can still occur on their network—and it can impact your data. Your ultimate focus should be on vendor risk management, not simply on vendor compliance. While compliance is a solid short-term goal, vendor risk management is an ongoing practice that shouldn’t be understated.

Download Creating Efficiencies In Vendor Risk Management: Exploring The Evolution Of VRM 

While it’s clear that traditional vendor risk management strategies are inadequate in today’s risk environment, there are a number of things you can do to make risk management easier. The free ebook highlighted below discusses several emerging vendor risk management strategies and technologies and provides insight on how to make the VRM process simpler and more effective; download it today!

Creating Efficiencies In Vendor Risk Management

Suggested Posts

Mitigating Risk in Your Expanding Digital Ecosystem

As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with on...


FBI Alerts Companies of Cyber Attacks Aimed at Supply Chains

Earlier this month, ZDNet broke the news that the FBI had sent a cybersecurity alert to the U.S. private sector warning of an ongoing hacking campaign against supply chain software providers. According to the FBI, hackers are attempting to...


Guide: Fourth-Party Cyber Risk & Management

In today’s interconnected world, supply chains are growing exponentially. As a result, third-party risk has become a big focus for senior management. But what about the vendors that your suppliers rely on and the threat of fourth-party...


Subscribe to get security news and updates in your inbox.