Skip to main content
Security Scorecard

Best Practices for Strategic Vendor Management Policy

Posted on October 26th, 2020

Vendors are a critical piece of most organizations’ businesses. Vendors — particularly cloud-based services – help companies deliver services, streamline their business processes, and scale their operations quickly and efficiently.

With reliance on vendors, however, comes risk. Data breaches caused by third parties are more difficult to control, predict, or prevent than those that occur in-house and they’re also more expensive. Ponemon’s latest Cost of a Data Breach report once again found third parties to be a cost amplifier when it comes to data breaches. If a third party is involved in a data breach, that breach will cost an average of $207,411 more than $3.86 million, the average cost of a data breach.

That sort of risk has meant that organizations look to vendor risk management (VRM) as a vital risk mitigation strategy. Managing vendor risk, however, can be overwhelming — often organizations work with many vendors and other third parties and verifying every vendor’s controls can be a difficult task.

To make vendor risk management programs easier to manage, companies need a clear and comprehensive vendor management policy. This policy should identify your riskiest vendors, define controls to minimize that risk, and act as a strong foundation for your vendor risk management strategy.

What is vendor management?

Vendor management is the process organizations use to manage their vendors, ranging from third-party suppliers, consultants, software providers, and more. Vendor management includes activities such as controlling costs, reducing risks, negotiating contracts, and ensuring a mutually beneficial relationship between your organization and its vendors. Another crucial component of vendor management is data security – making sure your vendors are taking the proper precautions and steps needed to protect your company’s information.

Best practices for defining your vendor risk management policy for every business

It’s important to remember that your vendors are an extension of your enterprise. That's why they’re a risk; some vendors have access to data and networks you don’t want to be exposed to. As you create your vendor risk management policy, know that you'll be following some of the same processes you followed when you wrote your own cybersecurity policies.

1. Know who your vendors are

You may have some idea of who your vendors are, but it is important to know exactly who all your vendors are if you’re going to be monitoring them. This will mean going to each department and asking for a list of their vendors, because some departments may own relationships the rest of the organization isn’t aware of. Make sure you obtain as complete a list as possible.

2. Know which vendors pose the most risk

When it comes to risk management, not all vendors are created equal. When you’re compiling your list of vendors, you’ll want to do more than find out who they are. You’ll also need to know what data, networks, software, and devices each vendor is able to access. Vendors who don’t have access to sensitive data or systems are low-risk; if they’re attacked, you’re unlikely to suffer a breach. Your cloud provider, however, is at high risk. If they experience a data incident, your data is at risk.

3. Set controls

Once you’ve identified the risks, you can set controls and metrics for the vendors that pose the greatest risk to your data. You can do this by defining the sorts of controls that you’ll require your vendors to use, and incorporating these controls into your policy and into contracts with any new vendors. You’ll also want to choose metrics that will help you measure your vendors’ compliance with these controls, such as time to install a security patch or time to detect a breach.

4. Continuously monitor

You’ve set controls and metrics for your vendors but how can you actually tell how long it’s taken for them to install a patch or detect a breach? Continuous monitoring using a platform that monitors risk — such as security ratings — allow you to monitor the cyberhealth of your vendors in real-time, without having to rely on the snapshots provided by static forms of monitoring, like questionnaires.

5. Know the difference between vendors and other third parties

When we’re talking about cybersecurity and breaches, the phrases “third party” and “vendor” are used interchangeably. There are, however, differences between the two. Vendors, for example, sell goods and services. They can be an individual (a freelancer, for example) or an organization (a business.) Third parties are not individuals. They’re business entities that provide mission-critical goods and services to an organization or its customers. Those differences matter because the controls you’d impose on an individual contractor are different than the ones you’d impose on a major channel partner, and the risks themselves are different.

6. Introduce a zero-trust security

The core principle of zero trust is least-privileged access, which assumes that any user or application should not be inherently trusted. That said, an effective vendor risk management policy should acknowledge that even the most trusted systems and entities can still pose a threat to the organization. For that reason, adopting and enforcing zero-trust security is essential to minimize the possibility and impact of cyber attacks exploiting third-party risk.

How SecurityScorecard can help

Managing third-party relationships, particularly monitoring them, can be an onerous administrative task. A tool that automates parts of the process can free up your team for higher-level tasks and make your organization safer.

Our intelligent tool, Atlas uses advanced artificial intelligence to streamline the third-party risk management process. Using our platform, your organizations can upload your vendors’ responses to questionnaires. Our machine learning compares those answers to previous questionnaires and our platform’s own analytics, verifying vendor responses almost immediately, so you don’t have to devote personnel’s time to sending and chasing down questionnaires.

SecurityScorecard’s easy-to-read Security Ratings, based on an A-F scale, enable you to align your security priorities with the metrics you’ve set up for your vendors. If they fall out of compliance, you’ll know as soon as it happens. Receive your free score today.

Return to Blog
Join us in making the world a safer place.