third party risk management

How to Determine the Right Level of Vendor Assessment

Kim Johnson | April 27, 2020

When onboarding new vendors, it takes the median company an average of 90 days to complete due diligence — 20 days longer than it did four years ago, according to Gartner. In a competitive business climate where speed can be the difference between success and failure, a lengthy onboarding process undercuts your organization’s efforts at digital transformation and growth acceleration. And now, with as much as 75% of the workforce in some industries shifting to remote work due to the coronavirus outbreak, finding operational efficiencies in your onboarding process is more important than ever.

So, how can you speed up your onboarding process, while still maintaining a high security standard? It all comes down to determining the right level of vendor assessment for each potential third party.

No two vendors are the same

It’s time to leave the one-size-fits-all onboarding process behind. After all, different vendors present variable risk levels — and should not all be evaluated using the same cookie-cutter approach. For instance, a payroll provider working with sensitive employee and company information represents a much higher level of inherent risk than a food service provider that doesn’t have direct access to your network. 

Instead of wasting time doing long, full-blown assessments on every vendor, allocate your resources to those that require greater due diligence. Doing so will empower you to reap the benefits of your technology as quickly as possible.

Take the two steps outlined below to streamline your onboarding process:

1. Define whether the vendor is “critical”

First things first: Before you begin an assessment, you must evaluate how critical that third party is to your organization.

To identify whether a particular vendor meets this criteria, consider asking:

  • What type of data will they hold?
  • Would you face financial or reputational harm if this data was compromised?
  • What is this vendor being used for?
  • How critical is this use case to your business operations?
  • Will the vendor have persistent access across your network?

While a critical vendor may require a full-blown, on-site evaluation, performing that same level of assessment on a non-critical vendor could be a waste of your time and resources.

2. Evaluate the vendor’s security posture

Your next step in determining the right type of assessment is evaluating the potential third party’s security posture. In particular, you should assess the number and severity of security issues they have that should be reviewed and acted on.

When undergoing this process, it’s beneficial to have a common set of standards that are clear and easy to understand. As security ratings are a data-driven, objective, and dynamic measure of security performance, this KPI is used by thousands of organizations around the world to assess and manage cyber risk.

You can use this data throughout the onboarding process — starting with the evaluation, RFP, and procurement phases. Once you’ve established rules regarding what your organization deems to be an acceptable level of risk, you can optimize and prioritize your risk assessment strategies based on each vendor’s security rating.

For instance, if a vendor receives a high rating, you may opt to forgo some of the common hard inquiries and reduce the number of questions you ask. On the other hand, if a third party has a particularly low security rating, you can choose to conduct a more in-depth assessment — or perhaps even decide to eliminate that vendor from consideration altogether.

A faster, less costly, and more scalable onboarding process

Once you understand each prospective vendor’s criticality to your organization and overall security risk, you have all the tools you need to determine the right level of assessment — from a streamlined, basic questionnaire to a full-blown evaluation with an on-site visit. Of course, the ultimate decision comes down to your organization and the specific rules you set. In an effort to streamline the process, make sure these guidelines are documented, so your whole organization is aware of the types of triggers and conditions that will define the type of assessment to be conducted. After all, protecting your organization from cyber risk is a team effort — involving everyone from legal to finance to procurement.

Interested in learning more about streamlining your onboarding process? Download our new white paper, Faster, Less Costly, and More Scalable: Here’s how your vendor onboarding program can have all three.

New call-to-action

Suggested Posts

How and When to Reassess Your Vendor’s Cybersecurity Posture

From a security perspective, your work isn’t done when a new vendor signs on the dotted line. After the onboarding process is complete, you must implement continuous monitoring practices to ensure your new third-party maintains the desired...

READ MORE »

Vendor Contract Do’s and Don’ts

According to an Opus and Ponemon Institute study, 59% of companies have experienced a data breach caused by one of their vendors or third parties — while only 16% claim they effectively mitigate third-party risks. Don’t be a part of these...

READ MORE »

How to Determine the Right Level of Vendor Assessment

When onboarding new vendors, it takes the median company an average of 90 days to complete due diligence — 20 days longer than it did four years ago, according to Gartner. In a competitive business climate where speed can be the difference...

READ MORE »

Subscribe to get security news and updates in your inbox.