Vendor Risk Management

Do You Have The Right Vendor Management Policies?

Kaitlyn Graham | September 10, 2020

If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and Gartner reports that “60% of organizations are now working with more than 1,000 third parties”.

The problem lies in inefficient programs that can’t handle the onslaught of new vendors from  relying on manual coordination with the right business departments needed to manage a  vendor. Onboarding, sometimes dreaded by those on a company’s security team or legal department, requires resources and cooperation from both the organization and the vendors to ensure the proper documentation and data is communicated between the two companies. 

The organization is responsible for properly evaluating a third-party during onboarding to ensure their processes are aligned. Whatever a company misses during onboarding is on them, which is why time is taken to cover all the bases. Onboarding does not have to be a time consuming and costly process if security leaders have the right vendor management policies in place to work together with their business teams.

Where Can You Adapt Your Process?

As part of the procurement process, it is a security professional’s job to evaluate potential vendor’s security position and management. When someone on your company's HR team comes to you with a new, potentially cheaper vendor to manage employee benefits, what are the policies that come into play? Maybe the first step is pulling up the standardized document of “new vendor due diligence” requirements and forwarding it to the vendor, or discussing the budget for new vendors with the finance team. These steps are common in many organizations when it comes to vendor management. 

Just because there are common vendor onboarding strategies doesn’t always mean they are the most efficient way to go about the process. What if there were security standards set before a third-party was even introduced to a company that would eliminate them from consideration? Including security guidelines for new vendors that are available across the organization enables the business by keeping cybersecurity at the forefront of third-party management.

Establishing A Risk Tolerance 

Deciding on what the maximum risk you’re willing to take with a vendor will help narrow down the list of vendor’s to evaluate, giving the security team back some of the time they spent evaluating vendors. Instead of spreading their resources thin, security professionals can focus deeper on the companies that matter to them.

One way to establish the risk you're willing to take with your vendors, as well as how to keep that standard even across all departments, is through a security rating. BitSight for Third-Party Risk Management provides an external, objective view into a vendor’s cybersecurity to help users obtain a real, trusted view of their third-parties. Companies can use BitSight vendor security ratings to set a required point a vendor’s rating must hit to be considered by the company.     

BitSight allows users to compare their third-parties’ security ratings, even when the companies have experienced different types of cybersecurity events. If a company can use a BitSight security rating to weed out third-parties who fall below the allowed risk threshold, the vendor selection and onboarding process can be narrowed down to only companies that have secure systems in place. 

Setting Tiers To Enable Easier Onboarding

Finding a risk threshold your organization is comfortable with for new vendors is a great way to implement efficient vendor management policies. An impactful step you can then take to further enable your third-party risk program to grow and properly manage your vendors is to tier your third-parties based on risk and criticality. 

Vendor criticality is one factor to consider when deciding on the inherent risk a third-party holds, and can also be used to help group your vendors into easy-to-manage tiers. Tiering your third-parties will group all of your existing vendors into tiers based on how close they are to sensitive company information. With BitSight’s tier recommender service, organizations can see a suggested tier for each vendor determined by the nature of the third-party and how risky their cybersecurity standings are.

Policy Change As A Result Of Tiering

When a company tiers their vendors, they can then implement policies for all vendors that fall into specific tiers, removing the inefficiencies when certain vendors are over-assessed or under-assessed. Top-tier vendors might require continuous monitoring of their cybersecurity standings to prevent malicious activity before it happens, because even a slight breach in their systems could lead to major damage to the company’s they’re operating with. Lower-tier vendors might only need to be evaluated when a breach is detected. 

Where the third-party falls in your organization’s tiering system can help determine the level of assessment they require. Tiering removes excessive work on vendors that don’t require it so that the same resources can be used to better manage top-tier vendors.

Where You’ll See Improved Efficiency 

Finding the right vendor management policies can make a huge difference on program efficiency, which in turn allows the company as a whole to function without cybersecurity as a roadblock. The right vendor management policies will save the company money by speeding up the process of onboarding vendors using their BitSight security rating. Security ratings allow companies’ security programs to be compared with each other because they are calculated looking at the same types of data and independent of the size of the organization.

Tiering and using risk thresholds creates a standard way of looking at a vendor across all company units because everyone who deals with vendors is clear on what the company risk tolerance is. When everyone is on the same page there is limited room for confusion or need for multiple meetings when working with a new vendor. Implementing the right vendor  management policies will allow your security team to do more with the same resources they already have.

The Time Is Now For Transformation

Many businesses are being forced to accept change in their processes already with the new pandemic-focused world. While you are already experiencing change in your business, now is a great time to introduce cybersecurity policies that highlight efficiency and can save your organization time and money. 

To learn more about implementing the right vendor management policies, please download our guide on vendor lifecycle efficiency.

3 Ways to Make Your Vendor Lifecycle More Efficient


Suggested Posts

Do You Have The Right Vendor Management Policies?

If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...


3 Ways To Make Your Vendor Lifecycle More Efficient

During this dynamic and stressful workplace environment 2020 has brought us, finding the most efficient ways to perform in your job has never been more important. When it comes to managing your vendor lifecycle, there are three ways you...


How To Mature Your Vendor Risk Management Program

There are layers of uncertainty plaguing security professionals when it comes to the time, money, and energy they spend focusing on their third-party risk management systems. Without the proper tools and analysis, it is hard to know if...


Subscribe to get security news and updates in your inbox.