“You can’t manage what you can’t measure.”
This adage may be overused in business, but there’s a reason for it. Simply put, if you want to improve efficiency in your vendor risk management program or get a better look at your vendor’s security posture, you’ll need to use several important metrics.
These vendor management metrics will help you monitor where you stand now and what you need to reach your goals.
Finding The Right Vendor Management Metrics For Your Program
1. The frequency by which you review your entire list of suppliers and vendors and designates those that are critical.
The process for identifying security threats begins with understanding an important designations: who your critical third parties are. If this is analyzed frequently as part of your core vendor management metrics, your organization is more likely to find third parties that have a surprising amount of access to your sensitive data or network controls, and thus should be deemed “critical.”
2. Percentage of critical vendors whose contracts have been updated to include certain cybersecurity standards.
The best time to include the cybersecurity requirements from a vendor is when you onboard them. This makes it far easier to begin the business relationship with a clear understanding of security expectations.
But if you are just beginning your vendor risk management program — or have recently updated it—you may need to reevaluate your contracts. If this happens, you should monitor how many vendors you require to revisit contractual agreements as part of your vendor management metrics.
Tip: Be sure each of your contracts designates who should be notified in the event of any security breach to the vendor and how quickly this notification should take place.
3. Percentage of critical vendors you've required to purchase insurance policies that would cover you during an incident.
Cybersecurity liability insurance is in high demand for several good reasons — not the least of which is the ever-growing threat of sophisticated cyber attacks. Board members and company executives are becoming more aware of the weight targeted cyberattacks can hold.
To ensure your critical vendors purchase an insurance policy that also covers you as the first party isn’t just a good vendor management metric to track — it can be the difference between recovering some or all of a financial loss you may take if your vendor is compromised.
Top Two Vendor KPIs
1. Time it takes your vendors to immediately remediate vulnerabilities.
This is also known as “patching cadence” — and it involves determining how many vulnerabilities your vendors have in their system and how many of the critical vulnerabilities have yet to be patched.
One of your vendors may, for example, purchase and deploy a new piece of software. This software could have a number of vulnerabilities that the software company releases patches for. It is critical for you to monitor how quickly your vendor is able to patch each of these vulnerabilities as part of your vendor management metrics, because leaving vulnerabilities unpatched can increase the likelihood that the vulnerability will expose your data.
2. Time it takes your vendors to respond to security incidents.
A security incident is an actual exploitation of a system — not just the threat of it. So you will most certainly be concerned with how quickly your vendors are able to identify threats and respond appropriately to them. Unsurprisingly, the longer it takes for these incidents to be shut down, the greater the chance that your data will be compromised as well.
The catch here is that virtually no company will want to provide you with this vendor management metric. They may not be tracking this metric themselves, or they could be performing poorly. In fact, when you use traditional vendor monitoring methods, there are a limited number of things you can glean about a third party’s cybersecurity effectiveness. You can view recent cyber security audits, conduct assessments, perform on-site interviews, and review documentation, but these methods take time and are completely subjective.
Having a security rating platform like Bitsight that is able to alert you to potential security incidents when they happen is highly useful — not only for your vendor management metrics, but in monitoring your own cybersecurity as well.
Need a place to start for you vendor management program? Here are some cyber risk assessment templates that can help you get off the ground. Or you can build it from the ground up starting with the following eBook.