Why Vendor Management Best Practices Should Be A Little More Risky

Why Vendor Management Best Practices Should Be A Little More Risky

Prioritizing vendors based on risk is considered a vendor risk management best practice. But how do you do this? To start, let’s look at a commonly referred-to equation:

Risk = Threat x Vulnerability x Consequence

While this risk equation may be helpful in some ways, it’s also tough to use. Why? Because it’s extremely difficult—if not impossible—to assign a value to threat and vulnerability. Most organizations should assume a high level of threat and vulnerability, no matter what. (So, if you are assuming each variable in this equation is assigned a value between zero and one, threat and vulnerability would both have a value of one.) Simply put, there will always be individuals with malicious intentions who may target your organization, who can exploit common vulnerabilities in your IT systems. It’s hard to do much to change this reality.

That leaves the final part of the equation: consequence. The difference here is that you know the consequence to you if a vendor is knocked offline for a number of days, or if your data is somehow compromised or stolen due in part to one of your vendors. Because of this, you can assign a value to consequence. By understanding the consequence of a cyber incident affecting your vendors, you can truly begin to focus your vendor risk management program on those organizations that are most critical to you and adopt vendor management best practices.

All of this begs a simple question: “What should I be doing to make my vendor management practices a little more focused on risk?”. Below, we’ve outlined five critical best practices that your organization can get started with today.

4 Important Vendor Management Best Practices

  1. Perform a risk assessment. A risk assessment helps organizations understand what kind of data is valuable to them—whether that is pricing information, R&D, customer data, financial data, or something else. This information should be identified and located - does it all live in-house, or do we trust some third and even fourth parties to keep and store that data? Past that, it’s vital to then understand who has access to that data and limit privileges as much as possible. It’s pretty obvious that third-party vendor risk management plays a huge role here because it’s very important for you to know what is happening to your data when it’s outside of your organization.
5 Ways Your VRM Program Leaves You In the Dark

Relationships with vendors are important (or even vital) for many organizations, but unfortunately, there’s a trade-off—the more data you share, the more risk you acquire.

  1. Develop a strategy. Once you’ve assessed what kind of data you have, what is important, where it is located, and who has access to it, you need a strategy to keep your data secure. You should focus on creating a governance program that explains to both employees and third parties how to use and interact with the data. This program may lay out how the data is encrypted, who (or how many people) can access it, what will happen with new data, where it is stored and more. The strategy should include your security expectations for your vendors so they know what standards they are expected to meet to secure your data.
  1. Decide on technology. Now that you have a plan of action in place, it’s important to determine which technologies you’ll use to be able to monitor who is interacting with your data, whether or not there are any security issues, and how to be alerted if there are any new issues that arise. Having a strategy in place without the right technical controls is only half the battle. Just as you would continuously monitor your own internal network for security incidents, there are now continuous monitoring solutions to observe your vendors in real-time.
  1. Prepare for a crisis. You’ve taken the appropriate measures to help reduce the likelihood that a breach will occur. But bad things can happen even to those who have planned well in advance. You need to be prepared to respond immediately if your data is breached, particularly if it involves a third party provider or business associate. This requires working with your third parties to make sure they understand their obligations to notify you in the event of an incident, because believe it or not, vendors are not always legally required to notify you in many cases. Do they have the right plans in place in place? Do they have relationships with forensics teams and law enforcement? Are there notification procedures that you and your third parties have practiced and agreed to ahead of time? All of these questions need to be dealt with.


Building a successful vendor risk management (VRM) program requires you to focus your resources and energy on the third parties who are truly consequential to your organization. To find these vendors, think about where your most important data and technology dependence resides. By following these steps, you can be prepared for whatever comes your way.

Download Guide: 5 Ways Vendor Risk Management Programs Leave You In The Dark (& What You Can Do About It)