Should Cybersecurity Have a Voice in Vendor Procurement?

Business leaders now realize that their data is being exposed to risk by their vendors, and that monitoring and remediating these threats is a necessary part of an effective cybersecurity program.

However, even companies with strong vendor risk management programs have an arbitrary barrier between procurement and security.

The job of choosing a vendor belongs to one team, and the job of assessing whether that vendor is exposing the organization to cyber risk belongs to another. In some cases, a vendor’s cybersecurity is not even a consideration during the procurement process.

The Problem with Siloed Procurement

When procurement teams fail to consider cybersecurity, they can put the organization at risk.

Let’s say your company is looking for a new video conferencing solution. You examine the organization’s needs and develop selection criteria. You put out an RFP. You select a few solutions for live demos. Finally, you choose a solution, write up a contract, and sign the deal.

At what point are IT and cybersecurity teams called in to analyze the risk of these vendors? At many companies, this analysis occurs after finalists have been selected and just before a deal is finalized. Of a shortlist of five video conferencing solutions, only one might have adequate cybersecurity performance to be accepted as a vendor. This vendor might be chosen by default, but are they really the best choice for the organization? And is “adequacy” always the best way to judge a vendor?

The issue is that cybersecurity performance is treated as a final check on selected candidates, rather than an integral part of the selection criteria. In reality, cybersecurity should be as much of a consideration as cost, services, experience, customer reviews, or any other method for selecting a third party.

This way, the companies that make it to the shortlist won’t need to be checked to make sure their cybersecurity performance is passing. Instead, they’ll be companies whose cybersecurity performance is best-in-class.

A Better Procurement Method

There are a few reasons why a procurement process would only include security due diligence towards the end of evaluations. Maybe it was just an oversight, or maybe IT and security just don’t have the bandwidth or resources to play a bigger part in the process. A procurement professional might argue that the timeline for a vendor risk assessment (sometimes a few weeks) would cause the process to drag on for too long.

security ratings snapshot example

Request your free Security Rating Snapshot to find the gaps in your security program and how you compare to others in your industry.

Get Your Rating
Button Arrow

However, continuous monitoring tools like BitSight Security Ratings provide instant insights with which procurement and security teams can conduct due diligence. While it’s always possible that a detailed questionnaire might reveal some internal protocols or policies not picked up by an outside-in analysis, security ratings are proven to correlate to data breaches and accurately indicate the overall cybersecurity posture of a given vendor.

Best of all, IT and security don’t need to be a blocker or speed bump in the overall process. If the procurement team is given access to the BitSight platform and are aware of the organization’s risk appetite, they can easily enter the name of every organization that responds to the RFP and see at a glance whether they would be an acceptable choice from a security standpoint.

Get it in Writing

The most important reason for cybersecurity to have a voice in procurement? The ability to put security obligations in the contract.

As a vendor’s products and services become more and more entrenched in an organization’s operations, it becomes more difficult for the company to affect their behavior. In addition, some smaller organizations might simply not have enough sway to influence the cybersecurity of their third parties.

Using security ratings, organizations are able to track vendor security performance over time. Accordingly, vendor contracts can be written to include security improvement incentives or requirements. For example, company A might indicate that if their video conferencing provider improves their security posture within 6 months, the vendor may receive a bonus.

One of the simplest ways to improve your own organization’s security posture is to stop making deals with risky third parties. With the technology available today, this is an incredibly small change — but it might just be the one that prevents the next data breach.

Is your organization following third-party vendor risk management best practices? Download our ebook to find out.