<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1175921925807459&amp;ev=PageView&amp;noscript=1">
Vendor Risk Management

4 Reasons Traditional Vendor Risk Management Strategies Fall Short

Melissa Stevens | February 2, 2017

Vendor risk management (VRM) is the practice of evaluating business partners, associates, or third-party vendors both before a business relationship is established and during the duration of your business contract. This is a difficult—albeit necessary—process all companies should go through when they enter into a third-party relationship.

Ideally, organizations going through this process might inventory their vendor relationships, determine and categorize the risk that each vendor poses, delegate organizational ownership of the risk, institute contractual protection against that risk, and then create an ongoing assessment program to monitor, audit, or review how well the supplier is complying. Traditional assessment programs often involve risk assessments, questionnaires, audits, penetration tests, and vulnerability scans.

While these traditional methods do help organizations examine the risk each vendor poses, they aren’t without their flaws—and those flaws must be taken into consideration.

Below, we’ll take a look at four issues these traditional strategies bring about.

4 Reasons Traditional Vendor Risk Management Strategies Fall Short

1. They’re time-consuming. C

Organizations typically have a set of risk tolerances and a number of cybersecurity controls they care about—so they create and send out questionnaires to their third-party suppliers to determine if the vendor can handle the areas of risk they care about. Responding to these questionnaires and validating the vendor’s cybersecurity posture takes a great deal of time for both parties. There are some industry-accepted standards for questionnaires that make this easier, but the process is still intensive.

2. They offer an incomplete picture of the risk.

Traditional VRM methods are particularly tricky because they are only valid for and representative of the vendor’s security at a singlepoint in time. For example, if your company reviews a third party’s data security controls and finds them satisfactory, the good feeling you’re left with is only valid until you walk out the door. Furthermore, traditional VRM tactics are often subjective by nature. If a first party asks a vendor if it has an effective change management program in place, the answer is reliant upon the respondent's definition of “effectiveness” and his knowledge of the change management program.

3. They’re not actionable.

Once you’ve gone through traditional VRM tactics like a thorough assessment, you may have an overall feeling about the cybersecurity posture of a vendor. But it can be difficult for the recipient of a vendor assessment to fully make sense of the information received and act on it in a way that will protect their organization and its data. So while a great deal of time is spent identifying possible vendor risk issues, not enough time is spent addressing those issues.

4. Compliance doesn’t equal security.

Ensuring that your vendors are doing what you’ve asked of them is a fine step to take—and as we mentioned above, it’s important. But you must also understand that having your vendors check off a box doesn’t mean that they’re properly securing your data. In other words, even if your vendors comply with your policies, security incidents can still occur on their network—and it can impact your data. Your ultimate focus should be on vendor risk management, not simply on vendor compliance. While compliance is a solid short-term goal, vendor risk management is an ongoing practice that shouldn’t be understated.

Download Creating Efficiencies In Vendor Risk Management: Exploring The Evolution Of VRM 

While it’s clear that traditional vendor risk management strategies are inadequate in today’s risk environment, there are a number of things you can do to make risk management easier. The free ebook highlighted below discusses several emerging vendor risk management strategies and technologies and provides insight on how to make the VRM process simpler and more effective; download it today!

Creating Efficiencies In Vendor Risk Management

Suggested Posts

Worthwhile TPRM Certifications for Security & Risk Professionals

As the importance of third-party risk management (TPRM) continues to grow, organizations are hiring for related roles more seriously than ever before. To compensate, security and risk professionals are seeking out certification programs in...


Which Third-Party Risk Management Tools Do You Really Need?

With high-profile breaches being traced back to supply chain vulnerabilities and a regulatory environment that’s waking up to the realities of vendor risk, many organizations are investing heavily in third-party risk management (TPRM)...


New Study: Organizations Struggle to Manage Cyber Risk in Their Supply Chains

A new report from McKinsey & Company sheds light on something we’ve known for many years – organizations are struggling to make significant progress in managing cybersecurity risk in their supply chains.


Subscribe to get security news and updates in your inbox.