Do You Have The Right Vendor Management Policies?

Kaitlyn Graham | September 10, 2020 | tag: Vendor Risk Management

If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and Gartner reports that “60% of organizations are now working with more than 1,000 third parties”.

The problem lies in inefficient programs that can’t handle the onslaught of new vendors from relying on manual coordination with the right business departments needed to manage a vendor. Onboarding, sometimes dreaded by those on a company’s security team or legal department, requires resources and cooperation from both the organization and the vendors to ensure the proper documentation and data is communicated between the two companies.

The organization is responsible for properly evaluating a third-party during onboarding to ensure their processes are aligned. Whatever a company misses during onboarding is on them, which is why time is taken to cover all the bases. Onboarding does not have to be a time consuming and costly process if security leaders have the right vendor management policies in place to work together with their business teams.

Where Can You Adapt Your Process?

As part of the procurement process, it is a security professional’s job to evaluate potential vendor’s security position and management. When someone on your company's HR team comes to you with a new, potentially cheaper vendor to manage employee benefits, what are the policies that come into play? Maybe the first step is pulling up the standardized document of “new vendor due diligence” requirements and forwarding it to the vendor, or discussing the budget for new vendors with the finance team. These steps are common in many organizations when it comes to vendor management.

Just because there are common vendor onboarding strategies doesn’t always mean they are the most efficient way to go about the process. What if there were security standards set before a third-party was even introduced to a company that would eliminate them from consideration? Including security guidelines for new vendors that are available across the organization enables the business by keeping cybersecurity at the forefront of third-party management.

Establishing A Risk Tolerance

Deciding on what the maximum risk you’re willing to take with a vendor will help narrow down the list of vendor’s to evaluate, giving the security team back some of the time they spent evaluating vendors. Instead of spreading their resources thin, security professionals can focus deeper on the companies that matter to them.

One way to establish the risk you're willing to take with your vendors, as well as how to keep that standard even across all departments, is through a security rating. BitSight for Third-Party Risk Management provides an external, objective view into a vendor’s cybersecurity to help users obtain a real, trusted view of their third-parties. Companies can use BitSight vendor security ratings to set a required point a vendor’s rating must hit to be considered by the company.

BitSight allows users to compare their third-parties’ security ratings, even when the companies have experienced different types of cybersecurity events. If a company can use a BitSight security rating to weed out third-parties who fall below the allowed risk threshold, the vendor selection and onboarding process can be narrowed down to only companies that have secure systems in place.

Setting Tiers To Enable Easier Onboarding

Finding a risk threshold your organization is comfortable with for new vendors is a great way to implement efficient vendor management policies. An impactful step you can then take to further enable your third-party risk program to grow and properly manage your vendors is to tier your third-parties based on risk and criticality.

Vendor criticality is one factor to consider when deciding on the inherent risk a third-party holds, and can also be used to help group your vendors into easy-to-manage tiers. Tiering your third-parties will group all of your existing vendors into tiers based on how close they are to sensitive company information. With BitSight’s tier recommender service, organizations can see a suggested tier for each vendor determined by the nature of the third-party and how risky their cybersecurity standings are.

Policy Change As A Result Of Tiering

When a company tiers their vendors, they can then implement policies for all vendors that fall into specific tiers, removing the inefficiencies when certain vendors are over-assessed or under-assessed. Top-tier vendors might require continuous monitoring of their cybersecurity standings to prevent malicious activity before it happens, because even a slight breach in their systems could lead to major damage to the company’s they’re operating with. Lower-tier vendors might only need to be evaluated when a breach is detected.

Where the third-party falls in your organization’s tiering system can help determine the level of vendor risk assessment they require. Tiering removes excessive work on vendors that don’t require it so that the same resources can be used to better manage top-tier vendors.

Where You’ll See Improved Efficiency

Finding the right vendor management policies can make a huge difference on program efficiency, which in turn allows the company as a whole to function without cybersecurity as a roadblock. The right vendor management policies will save the company money by speeding up the process of onboarding vendors using their BitSight security rating. Security ratings allow companies’ security programs to be compared with each other because they are calculated looking at the same types of data and independent of the size of the organization.

Tiering and using risk thresholds creates a standard way of looking at a vendor across all company units because everyone who deals with vendors is clear on what the company risk tolerance is. When everyone is on the same page there is limited room for confusion or need for multiple meetings when working with a new vendor. Implementing the right vendor management policies will allow your security team to do more with the same resources they already have.

The Time Is Now For Transformation

Many businesses are being forced to accept change in their processes already with the new pandemic-focused world. While you are already experiencing change in your business, now is a great time to introduce cybersecurity policies that highlight efficiency and can save your organization time and money.

To learn more about implementing the right vendor management policies, please download our guide on vendor lifecycle efficiency.

3 Ways to Make Your Vendor Lifecycle More Efficient

 

Suggested Posts

BitSight Integrates With ServiceNow to Reduce Risk Throughout Vendor Management Programs

Organizations rely on third-parties to keep competitive in the marketplace. The EY global third-party risk management survey highlights that in 2019–20, over 33% of the 246 global companies surveyed were managing and monitoring...

READ MORE »

5 Best Practices for Conducting Cyber Security Assessments

Third parties are essential to helping your business grow and stay competitive. But if you’re not careful, your trusted partnerships can introduce unwanted cyber risk and overhead into your organization.

READ MORE »

5 Tips to Improve Cyber Security Monitoring of Your Vendors

What’s the biggest struggle your vendor risk managers face when establishing cyber security monitoring processes? From sudden increases in the use of third-parties by your organization, to not knowing which vendors might be impacted by...

READ MORE »

Get the Weekly Cybersecurity Newsletter.