third party risk management

Vendor Onboarding 101: Balancing Security and Speed

Kim Johnson | April 6, 2020

In today’s ever-evolving, competitive business climate, organizations are partnering with more and more vendors to ensure they’re as agile, flexible, and efficient as possible. Now, at a time when as much as 75% of the workforce is shifting to remote work in some industries, this is more true than ever — with organizations seeking to rapidly acquire new software and technology to help accommodate new business requirements.

While these partnerships can empower your business to go to market faster and beat the competition, bringing in new vendors often requires a vigorous and extensive onboarding process — a seemingly overwhelming feat when, according to Gartner, 60% of organizations are now working with more than 1,000 third parties.

As a security leader, you’re often stuck between a rock and a hard place when it comes time to evaluate potential third parties. While you must ensure that each prospective vendor maintains an acceptable security posture (and thereby won’t introduce unwanted risk into your ecosystem), you’ll often feel pressure from above to onboard new vendors quickly — as leadership will want to maximize the value from third parties immediately. Here are three key strategies you can adopt today to onboard new vendors as securely and quickly as possible.

1. Prioritize your vendor analysis

Before you begin the evaluation and onboarding process, it’s important to remind yourself of one simple truth: No two vendors are the same. Each third-party presents different risk levels, and therefore merits different treatment. For instance, a payroll provider working with sensitive employee and company information requires a much higher level of scrutiny than a non-critical vendor with limited access to your network. If you take a one-size-fits-all approach to onboarding — providing each prospective vendor with the same boilerplate questionnaires — your assessments will not be as customized, effective, or streamlined as they need to be.

Instead of evaluating every third-party in the same manner, group and prioritize vendors based on their criticality to your business or the type of data they will be handling. And get the most out of your valuable time by allocating resources to areas that require greater due diligence.

2. Define thresholds for acceptable levels of risk

Of course, in order to conduct a valuable security evaluation, you must first define what your organization considers to be an acceptable level of risk. Once you’ve determined this threshold, you should work alongside your legal and financial teams to develop policies to enforce assessment requirements — and make sure each potential vendor is evaluated accordingly. 

Make sure to establish criteria for both the total risk posed by the third-party and any threats stemming from individual factors of their security posture, such as unpatched systems, legacy and unsupported technologies, or a history of malware infections.

3. Develop contract language that makes thresholds and remediation enforceable

After you’ve defined what your organization considers to be an acceptable risk threshold, it’s critical that you create contract language that requires your third parties to maintain this desired security posture over time. Specifically, your contracts should stipulate that vendors must:

  • Meet the agreed-upon risk threshold 
  • Employ ongoing security monitoring
  • Respond to your security inquiries
  • Notify you about breaches promptly
  • Abide by mandates and timelines for remediation

In order to ensure that a vendor is conducting the necessary due diligence outlined above, you must establish a common set of standards that are clear and easy to understand. External data sources, such as security ratings, are ideal for this purpose.

Similar to a credit score, security ratings attribute a numerical value to a third-party’s security posture — with a higher number indicating a more secure environment. You can use these ratings to prescreen vendors during the evaluation phase, optimize your risk assessment strategies, and ensure your vendors remain secure throughout your relationship.

Streamline onboarding to empower your business

If your organization partners with a large number of third parties, it can become increasingly difficult to choose and evaluate potential vendors effectively. You may feel pressure from above to make decisions quickly, but rushing through assessments often leads to errors — which can open your organization up to unwanted cyber risk. 

Given this scenario, it’s more important than ever that you optimize your onboarding resources. With an adaptive approach that takes each prospective vendor’s relationship and security posture into account when determining the appropriate level of assessment, you can save time, reduce costs, and scale with ease. 

Interested in learning more about how to streamline your vendor onboarding process? Download our new white paper, Faster, Less Costly, and More Scalable: Here’s how your vendor onboarding program can have all three.

New call-to-action

Suggested Posts

How and When to Reassess Your Vendor’s Cybersecurity Posture

From a security perspective, your work isn’t done when a new vendor signs on the dotted line. After the onboarding process is complete, you must implement continuous monitoring practices to ensure your new third-party maintains the desired...


Vendor Contract Do’s and Don’ts

According to an Opus and Ponemon Institute study, 59% of companies have experienced a data breach caused by one of their vendors or third parties — while only 16% claim they effectively mitigate third-party risks. Don’t be a part of these...


How to Determine the Right Level of Vendor Assessment

When onboarding new vendors, it takes the median company an average of 90 days to complete due diligence — 20 days longer than it did four years ago, according to Gartner. In a competitive business climate where speed can be the difference...


Subscribe to get security news and updates in your inbox.