Vendor Risk Management

Which Third-Party Risk Management Tools Do You Really Need?

Kim Johnson | August 6, 2019

With high-profile breaches being traced back to supply chain vulnerabilities and a regulatory environment that’s waking up to the realities of vendor risk, many organizations are investing heavily in third-party risk management (TPRM) programs.

Effective third-party risk management, however, can be extremely challenging for even the most mature organizations. Many providers offer tools that claim to make TPRM easier and more comprehensive — but which of these solutions and tools do you really need?

There’s no one-size-fits-all approach; a number of variables will determine the best course of action for your business. However, whether you’re launching, growing, or optimizing your TPRM program, there are certain tools that any organization should have.

Integrated Risk Management Software

Even if your organization only has a handful of third-party vendors, it’s still important to use a management system to keep track of objectives and progress. This system can be as complex as integrated risk management (IRM) software, or as simple as a well-organized spreadsheet. 

If your organization only has five vendors, for example, a spreadsheet would likely suit your needs and be easy enough to manage. However, if your organization has 500 or 5000 vendors, investing in a dedicated TPRM software platform is probably a better solution — in the long run, it will make the process of scaling your TPRM program much simpler.

Regulations are another factor. Companies in heavily regulated industries like healthcare, finance, and utilities — even if they don’t have a huge vendor roster — might need full-featured TPRM software, which can be used to track the delivery and receipt of questionnaires, schedule penetration tests and on-site visits, manage review and assessment tasks, and generate reports for compliance purposes. Wide-reaching regulations like GDPR are also making TPRM-specific software more essential. 

Without a solid risk management tool, it’s easy for things to fall through the cracks, especially as a third-party vendor roster grows. In an area as high-stakes as cybersecurity, organizations can’t afford to let even the little things slip. 

Questionnaires

Though they’re not necessarily a “tool,” vendor risk questionnaires are the backbone of most comprehensive TPRM programs. Thorough, consistent, and well-designed questionnaires for your vendors to complete and return are critical to reducing third-party risk. 

While questionnaire templates are a good place to start, the questions should always be tailored to your particular industry and concerns. As your TPRM program matures, you’ll want to start adapting questionnaires for each vendor or partner, taking into consideration their past performance and the systems and data to which they have access. 

Traditionally, administering a questionnaire during the onboarding process and following up at regular intervals to ensure that security is being maintained (or better yet, improved) has been best practice. While this may change in the future thanks to continuous monitoring technologies, it’s still an important part of TPRM for many companies. 

However, questionnaires should not be the only component of a TPRM program — they can become inaccurate fast as new threats emerge and third-party security performance changes. Relying solely on questionnaires to assess cybersecurity gives you an incomplete picture of a third party’s security posture, so questionnaires are best utilized in addition to other TPRM tools.

Security Ratings

A 2018 study found that for 88% of organizations, it took over two weeks to assess vendors’ cybersecurity using manual methods such as questionnaires. When each assessment requires this much effort, it’s not possible to maintain a continuous picture of third-party risk. 

Continuous monitoring solutions like security ratings help cover the gaps between questionnaires by allowing companies to track third parties’ cybersecurity performance in near real time.

Security ratings are a data-driven, dynamic measurement of an organization’s cybersecurity performance. Ratings are derived from objective, verifiable information and created by independent organizations. Security ratings enable you to quickly ascertain a vendor’s cybersecurity posture, track changes to their performance over time, and identify their biggest vulnerabilities. 

In addition, because security ratings are easy-to-understand numbers that reflect actual cyber risk, they provide a clear frame of reference and makes it easier to communicate with stakeholders about cybersecurity. 

Conclusion

Which third-party risk management tools do you really need? It depends on your industry, level of TPRM program maturity, and the size of your vendor roster. However, starting from a foundation of robust management software and continuous monitoring will set you going in the right direction. 

Learn how to take a more confident approach toward third-party risk management. 

Third Party Risk Management

Suggested Posts

Third-Party Risk Management Best Practices for Enterprise

Companies are becoming increasingly reliant on third-party relationships, and cyber attacks originating in the systems of third parties are on the rise.

READ MORE »

Airbus Incident Shines Spotlight on Third-Party Vendor Security Risks

2019 has been a year of high-profile attacks, and, as we predicted, it’s only getting worse. That’s certainly the case for Airbus.

READ MORE »

A Vendor Risk Management Questionnaire Template

IT Risk Assessment Questions for Third Parties

Digital relationships with third-party vendors increase opportunities for growth, but they also increase opportunities for cyberattacks — a recent study found that 61% of U.S. companies said...

READ MORE »

Subscribe to get security news and updates in your inbox.