Analyzing Vendor Risk Tools: Vulnerability Scans, Penetration Tests & More

Analyzing Vendor Risk Tools: Vulnerability Scans, Penetration Tests & More

This is a two-part blog post. First, you'll discover 5 things to keep in mind when selecting a vendor management software. In the second part, you'll read on to uncover the pros and cons of the many vendor risk management tools that organizations have to assess third party vendors.

Vendor management is a pretty broad category with a lot of implications. And when you think about traditional vendor management software systems, financial capabilities like payroll and accounting are likely what come to mind.

But when you’re considering a vendor management software solution, there’s a critical component you shouldn’t forget: risk. Managing and mitigating cyber risk is absolutely crucial to your overall vendor management plan and should be taken into advisement as you begin your search for software that will manage your process.

Below, we’ve detailed a few things you must keep in mind as you craft the right software solution for your organization.

1. The Vendor Lifecycle

When you’re buying vendor management solutions, you’re initially focused on the evaluation, selection, and onboarding of your vendors. But be sure to keep in mind the duration of the contract itself. The goal of successful vendor management software is to integrate data across the vendor lifecycle—so make sure the functionality you need to maintain your vendors in the long term is built in.

2. Static & Dynamic Elements

40 questions vendor risk ebook

With this ebook, we'll help you prioritize which vendors need the most attention with an in-depth security assessment – such as those with low security ratings, or critical vendors that maintain constant contact with your company’s systems. 


Some components of vendor management are set in stone—like the price at which you agree to purchase a product or service. But some can change on an hourly or regular basis—like the security posture of your third parties. So you need to realize that your vendor management software applications should take these differences into account and allow you to monitor them separately.

3. API

Your vendor management software solutions have to be able to ingest tons of different kinds of data. And because there isn’t one single solution that walks you through the entire vendor lifecycle and covers every angle, you’re likely looking for many different pieces of software that you can integrate into a company-wide management system. If you want to do this successfully, be sure each software connects to an API so it has easy interoperability and can communicate more effortlessly with one another.

4. Dashboards & Metrics

Purchasing software that includes dashboards and performance metric capabilities is a great way to help you visualize your state of play. A dashboard is a business intelligence tool that helps you visualize large sets of data, which may be critical if you want to examine how your vendors are performing on a particular issue. Metrics, which are quantifiable measures, can allow your organization to report up the chain to the CEO and board on how effective you are at vendor management as a whole. Together these tools are indispensable.

5. Continuous Monitoring

As mentioned, cyber risk is a huge part of a comprehensive vendor management program—but using traditional risk assessment methodologies isn’t going to cut it. Assessments, audits, penetration tests, and vulnerability scans are all part of the process, but they aren’t enough. If you add a continuous monitoring solution into your software mix, it will give you the answers you need about your vendor’s continuous and ongoing security posture (instead of fixating in on a snapshot in time).

In Conclusion

Remember: vendor management used to just be a part of third-party procurement and acquisitions—but now it’s moved into legal, IT, cybersecurity, risk, and so much more. And because there are many people in a given organization who have interest in vendor management today, the software selection process should take all of their needs into account as well.

Part 2: The Pros And Cons Of Vendor Risk Management Tools

Earlier this month, it was discovered that Anthem denied a government auditor’s request to perform vulnerability scans on Anthem’s IT systems both in 2013, and for a scan this coming summer. This Data Breach Today piece details both why the enterprise was justified in its refusal and why it was a poor choice.

Regardless of whether it was the right call to make, the situation displays the challenges an enterprise faces whenever it wants to evaluate the information security performance of a vendor, partner or other third party. Vendors may not agree to intrusive vulnerability scans, penetration tests or other assessment methods, making it difficult for organizations to verify the security postures of third parties. With vendor risk management models moving towards a “trust but verify” approach, we take a look at the vendor risk management tools organizations have to assess third parties in this challenging environment.

Vulnerability Scans

Vulnerability scans are a broad-reaching way to discover the potential weaknesses that exist within a network. When third parties allow you to scan their networks, you get an in-depth look at the level of cyber risk they are exposing to your company. However, it’s not out of the ordinary for a large company to have thousands of vendors in its extended ecosystem, and due to the high costs of vulnerability scans, it would not be an effective solution to scan every network.

Penetration Tests

If you want to evaluate a network’s information security performance, a penetration test is an method you can use to your advantage. After discovering a vulnerability, a pen test will challenge your network’s tolerance for an attack through that weakness. Unfortunately, like vulnerability scans, pen tests are expensive and require permission from the third party to carry out.

Questionnaires & Audits

It can be helpful to see a qualitative view of an enterprise’s performance, and a security questionnaire accomplishes that goal. Questionnaires assess what information security controls are in place. The issue with this type of assessment is that there’s often a bias between a vendor’s belief and what’s actually the case. You can also get very different results from different assessors, because the audits aren’t always conducted the same.

Continuous Monitoring & Security Ratings

Continuous monitoring solutions, like Bitsight Security Ratings, offer an evidence-based assessment using data sources from all over the internet to see what activity is coming from a given network. These solutions do not require any investment of time or permission from the network being observed. They are used most effectively when combined with other assessment tools. Today, many organizations are using Security Ratings to augment their vendor risk programs with ongoing monitoring.

While no single tool shows the whole picture, using them in combination with each other can augment your visibility into third parties’ information security and help you trust AND verify vendor security performance.