Vendor Risk Management

Which Vendor Management Metrics & KPIs Should You Track For Cyber Risk?

Melissa Stevens | May 17, 2016

“You can’t manage what you can’t measure.”

This adage may be overused in business, but there’s a reason for it. Simply put, if you want to improve your vendor risk management program or get a better look at your vendor’s security posture, you’ll need to use several important metrics.

These metrics will help you monitor where you stand now and where you’re headed.

KPIs For Evaluating Your Vendor Management Program

1. The frequency by which you review your entire list of suppliers and vendors and designates those that are critical.

The process for identifying security threats begins with understanding two important designations: who your third parties are and who your critical third parties are. If this process is performed frequently, your organization is more likely to find third parties that have a surprising amount of access to your data or network, and thus should be deemed “critical.”

2. Percentage of critical vendors whose contracts have been updated to include certain cybersecurity implementations.

Of course, the best time to include the cybersecurity implementations you require from a vendor is when you onboard them. This makes it far easier to begin the business relationship with a clear understanding of security expectations.

But if you are just beginning your vendor risk management program — or have recently updated it—you may need to reevaluate your contracts. If this happens, you should monitor how many vendors you’ve required to revisit contractual agreements regarding cybersecurity best practices.

Tip: Be sure each of your contracts designates who should be notified in the event of any security breach to the vendor and how quickly this notification should take place.

3. Percentage of critical vendors you’ve required to purchase insurance policies that would cover you during an incident.

Cybersecurity liability insurance is in high demand for several good reasons — not the least of which is the ever-growing threat of sophisticated cyber attacks. Board members and company executives are becoming more aware of the weight targeted cyberattacks can hold.

To ensure your critical vendors purchase an insurance policy that also covers you as the first party isn’t just a good practice — it can be the difference between recovering some or all of a financial loss you may take if your vendor is compromised.

KPIs For Evaluating Each Of Your Vendors

1. Time it takes your vendors to immediately remediate vulnerabilities.

This is also known as “patching cadence” — and it involves determining how many vulnerabilities your vendors have in their system and how many of the critical vulnerabilities have yet to be patched.

One of your vendors may, for example, purchase and deploy a new piece of software. This software could have a number of vulnerabilities that the software company releases patches for. It is critical for you to monitor how quickly your vendor is able to patch each of these vulnerabilities, because leaving vulnerabilities unpatched can increase the likelihood that the vulnerability will be exploited (potentially exposing your data).

2. Time it takes your vendors to respond to security incidents.

A security incident is an actual exploitation of a system — not just the threat of it. So you will most certainly be concerned with how quickly your vendors are able to identify threats and respond appropriately to them. Unsurprisingly, the longer it takes for these incidents to be shut down, the greater the chance that your data will be compromised as well.

The catch here is that virtually no company will want to provide you with these metrics. They may not be tracking this metric themselves, or they could be performing poorly. In fact, when you use traditional vendor monitoring methods, there are a limited number of things you can glean about a third party’s cybersecurity effectiveness. You can view recent audits, conduct assessments, perform on-site interviews, and review documentation, but these methods take time and are completely subjective.

Because of this, having a security rating platform like BitSight that is able to alert you to potential security incidents when they happen is highly useful — not only for your vendors, but in your own organization as well.

third-party vendor risk management program

Suggested Posts

Third-Party Risk Management Best Practices for Enterprise

Companies are becoming increasingly reliant on third-party relationships, and cyber attacks originating in the systems of third parties are on the rise.


Airbus Incident Shines Spotlight on Third-Party Vendor Security Risks

2019 has been a year of high-profile attacks, and, as we predicted, it’s only getting worse. That’s certainly the case for Airbus.


A Vendor Risk Management Questionnaire Template

IT Risk Assessment Questions for Third Parties

Digital relationships with third-party vendors increase opportunities for growth, but they also increase opportunities for cyberattacks — a recent study found that 61% of U.S. companies said...


Subscribe to get security news and updates in your inbox.