Vendor Onboarding 101: Balancing Security and Speed
Kim Johnson | April 6, 2020
In today’s ever-evolving, competitive business climate, organizations are partnering with more and more vendors to ensure they’re as agile, flexible, and efficient as possible. Now, at a time when as much as 75% of the workforce is shifting to remote work in some industries, this is more true than ever — with organizations seeking to rapidly acquire new software and technology to help accommodate new business requirements.
While these partnerships can empower your business to go to market faster and beat the competition, bringing in new vendors often requires a vigorous and extensive onboarding process — a seemingly overwhelming feat when, according to Gartner, 60% of organizations are now working with more than 1,000 third parties.
As a security leader, you’re often stuck between a rock and a hard place when it comes time to evaluate potential third parties. While you must ensure that each prospective vendor maintains an acceptable security posture (and thereby won’t introduce unwanted risk into your ecosystem), you’ll often feel pressure from above to onboard new vendors quickly — as leadership will want to maximize the value from third parties immediately. Here are three key strategies you can adopt today to onboard new vendors as securely and quickly as possible.
1. Prioritize your vendor analysis
Before you begin the evaluation and onboarding process, it’s important to remind yourself of one simple truth: No two vendors are the same. Each third-party presents different risk levels, and therefore merits different treatment. For instance, a payroll provider working with sensitive employee and company information requires a much higher level of scrutiny than a non-critical vendor with limited access to your network. If you take a one-size-fits-all approach to onboarding — providing each prospective vendor with the same boilerplate questionnaires — your assessments will not be as customized, effective, or streamlined as they need to be.
Instead of evaluating every third-party in the same manner, group and prioritize vendors based on their criticality to your business or the type of data they will be handling. And get the most out of your valuable time by allocating resources to areas that require greater due diligence.
2. Define thresholds for acceptable levels of risk
Of course, in order to conduct a valuable security evaluation, you must first define what your organization considers to be an acceptable level of risk. Once you’ve determined this threshold, you should work alongside your legal and financial teams to develop policies to enforce assessment requirements — and make sure each potential vendor is evaluated accordingly.
Make sure to establish criteria for both the total risk posed by the third-party and any threats stemming from individual factors of their security posture, such as unpatched systems, legacy and unsupported technologies, or a history of malware infections.
3. Develop contract language that makes thresholds and remediation enforceable
After you’ve defined what your organization considers to be an acceptable risk threshold, it’s critical that you create contract language that requires your third parties to maintain this desired security posture over time. Specifically, your contracts should stipulate that vendors must:
Meet the agreed-upon risk threshold
Employ ongoing security monitoring
Respond to your security inquiries
Notify you about breaches promptly
Abide by mandates and timelines for remediation
In order to ensure that a vendor is conducting the necessary due diligence outlined above, you must establish a common set of standards that are clear and easy to understand. External data sources, such as security ratings, are ideal for this purpose.
Similar to a credit score, security ratings attribute a numerical value to a third-party’s security posture — with a higher number indicating a more secure environment. You can use these ratings to prescreen vendors during the evaluation phase, optimize your risk assessment strategies, and ensure your vendors remain secure throughout your relationship.
Streamline onboarding to empower your business
If your organization partners with a large number of third parties, it can become increasingly difficult to choose and evaluate potential vendors effectively. You may feel pressure from above to make decisions quickly, but rushing through assessments often leads to errors — which can open your organization up to unwanted cyber risk.
Given this scenario, it’s more important than ever that you optimize your onboarding resources. With an adaptive approach that takes each prospective vendor’s relationship and security posture into account when determining the appropriate level of assessment, you can save time, reduce costs, and scale with ease.
Cyber risk is everywhere. As organizations become increasingly interconnected — across business units, geographies, subsidiaries, remote offices, and third-party networks — the digital ecosystem is expanding rapidly. And this increased ...