Third Party Risk Management

Vendor Onboarding 101: Balancing Security and Speed

Kim Johnson | April 6, 2020

In today’s ever-evolving, competitive business climate, organizations are partnering with more and more vendors to ensure they’re as agile, flexible, and efficient as possible. Now, at a time when as much as 75% of the workforce is shifting to remote work in some industries, this is more true than ever — with organizations seeking to rapidly acquire new software and technology to help accommodate new business requirements.

While these partnerships can empower your business to go to market faster and beat the competition, bringing in new vendors often requires a vigorous and extensive onboarding process — a seemingly overwhelming feat when, according to Gartner, 60% of organizations are now working with more than 1,000 third parties.

As a security leader, you’re often stuck between a rock and a hard place when it comes time to evaluate potential third parties. While you must ensure that each prospective vendor maintains an acceptable security posture (and thereby won’t introduce unwanted risk into your ecosystem), you’ll often feel pressure from above to onboard new vendors quickly — as leadership will want to maximize the value from third parties immediately. Here are three key strategies you can adopt today to onboard new vendors as securely and quickly as possible.

1. Prioritize your vendor analysis

Before you begin the evaluation and onboarding process, it’s important to remind yourself of one simple truth: No two vendors are the same. Each third-party presents different risk levels, and therefore merits different treatment. For instance, a payroll provider working with sensitive employee and company information requires a much higher level of scrutiny than a non-critical vendor with limited access to your network. If you take a one-size-fits-all approach to onboarding — providing each prospective vendor with the same boilerplate questionnaires — your assessments will not be as customized, effective, or streamlined as they need to be.

Instead of evaluating every third-party in the same manner, group and prioritize vendors based on their criticality to your business or the type of data they will be handling. And get the most out of your valuable time by allocating resources to areas that require greater due diligence.

2. Define thresholds for acceptable levels of risk

Of course, in order to conduct a valuable security evaluation, you must first define what your organization considers to be an acceptable level of risk. Once you’ve determined this threshold, you should work alongside your legal and financial teams to develop policies to enforce assessment requirements — and make sure each potential vendor is evaluated accordingly. 

Make sure to establish criteria for both the total risk posed by the third-party and any threats stemming from individual factors of their security posture, such as unpatched systems, legacy and unsupported technologies, or a history of malware infections.

3. Develop contract language that makes thresholds and remediation enforceable

After you’ve defined what your organization considers to be an acceptable risk threshold, it’s critical that you create contract language that requires your third parties to maintain this desired security posture over time. Specifically, your contracts should stipulate that vendors must:

  • Meet the agreed-upon risk threshold 
  • Employ ongoing security monitoring
  • Respond to your security inquiries
  • Notify you about breaches promptly
  • Abide by mandates and timelines for remediation

In order to ensure that a vendor is conducting the necessary due diligence outlined above, you must establish a common set of standards that are clear and easy to understand. External data sources, such as security ratings, are ideal for this purpose.

Similar to a credit score, security ratings attribute a numerical value to a third-party’s security posture — with a higher number indicating a more secure environment. You can use these ratings to prescreen vendors during the evaluation phase, optimize your risk assessment strategies, and ensure your vendors remain secure throughout your relationship.

Streamline onboarding to empower your business

If your organization partners with a large number of third parties, it can become increasingly difficult to choose and evaluate potential vendors effectively. You may feel pressure from above to make decisions quickly, but rushing through assessments often leads to errors — which can open your organization up to unwanted cyber risk. 

Given this scenario, it’s more important than ever that you optimize your onboarding resources. With an adaptive approach that takes each prospective vendor’s relationship and security posture into account when determining the appropriate level of assessment, you can save time, reduce costs, and scale with ease. 

Interested in learning more about how to streamline your vendor onboarding process? Download our new white paper, Faster, Less Costly, and More Scalable: Here’s how your vendor onboarding program can have all three.

New Call-to-action

Suggested Posts

Do You Have The Right Vendor Management Policies?

If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...

READ MORE »

3 Ways To Make Your Vendor Lifecycle More Efficient

During this dynamic and stressful workplace environment 2020 has brought us, finding the most efficient ways to perform in your job has never been more important. When it comes to managing your vendor lifecycle, there are three ways you...

READ MORE »

What Does a Successful Third-Party Risk Management Program Look Like?

As digital transformation picks up pace, companies are working with more vendors than ever. According to Gartner, 60% of organizations now work with more than 1,000 third-party vendors — including partners, sub-contractors, and suppliers.

READ MORE »

Subscribe to get security news and updates in your inbox.