Best Practices for implementing vendor security ratings

Recently we discussed three benefits for vendors related to their security rating, as we are asked about this often. We are also asked for best practices when communicating with your vendors about their security rating. We have many customers with experience incorporating BitSight Security Ratings into their vendor risk management program, and the lessons they have learned along the way are too valuable not to share. There are several different approaches that can be leveraged; here are the 3 most common:

Roll out the program to your entire vendor community at once

Oftentimes the best approach is to roll out a new program all at once. In this case, upfront education of your internal staff is key. BitSight provides educational materials that you can use with your vendor risk managers to help them understand how they can leverage security ratings with the vendors they manage. Let them know that they now have this new tool at their fingertips that will enable them to not just trust but also verify the vendors under their purview. Consider conducting a webinar to educate them on the new tool, and record it for those that can’t make it live (our support staff is more than happy to be involved in this stage and provide onboarding assistance). Leveraging BitSight templates, craft an email to come from headquarters that introduces this new solution to the vendor community, along with collateral, videos, and a fictitious report so that they understand what’s coming. Give them a heads up (1-2 months) prior to kicking off the program so they have time to digest the materials. Your vendor risk managers can then provide each vendor with their rating and offer up a conference call or in person meeting to discuss further.

Conduct a “soft launch” with only a select set of vendors

Some companies prefer the nibble, bite, gulp approach. They want to start out with a subset of their current vendors and test the communications and processes. Some start with the vendors with the highest ratings (because these conversations are the easiest), and some start with the vendors with the lowest ratings (to address the greatest risks as soon as possible). For highly rated companies, the vendor risk managers may send out a customized note (leveraging a BitSight template) to each vendor with their rating and associated report and educational materials, commending them for their performance and indicating that they will continue to be monitored on a regular basis. Let them know that alerts of a rating change of 5% or more are tracked, and you trust that they will continue their hard work. For lower rated companies, the best practice is to set up a meeting to discuss the rating. Typically sending them a note with their rating report in advance helps guide the conversation. Most vendors are appreciative of the information and are eager to understand how they can remediate issues and thus improve their rating.

Begin with vendor evaluation, prior to selection

Whether you have a formal VRM program or are just getting started, security ratings are a great tool for evaluating a set of vendors for a specific product or service. The first step is to prepare an RFP / questionnaire / assessment, which may simply be a document or may be an electronic form as part of a supplier relationship management or GRC solution. The assessments are good - and necessary - as they cover a wide range of topics. That said, assessments have their own challenges. Enter security ratings, which are gathered from the outside and don’t rely on any vendor input. They provide an objective view with trends over the past 12 months, which enables you to verify a solid subset of the assessment responses. We recommend that you indicate upfront in the assessment materials that the vendor’s security rating will be evaluated as part of the process, and provide information so that they can learn more about what this means for them. They will likely be curious about what their rating is, so provide a mechanism, such as an email distribution, to communicate it. Transparency helps establish a relationship of trust early on, and for the vendor(s) selected, paves the way for more open, data-driven conversations.

Whichever method you choose to communicate to your existing and prospective vendors, remember that transparency is key. So long as you openly share the fact that you are now monitoring their performance -- and that the purpose of doing so is to raise the level of information security for vendors across the board -- relationships will be strengthened and risks reduced.