When third parties are involved in data breaches, the cost of those breaches rises by more than $370,000, according to Ponemon’s 2019 Cost of a Data Breach Report. It stands to reason that most companies want to do their due diligence when it comes to vendors, service providers and other third parties.
Unfortunately, managing third party risk can be a cumbersome manual process. Questionnaires can be hundreds of questions long, and they can be vague, causing vendors to send clarifying questions to your team so they can provide the answers you’re looking for. The trouble doesn’t end there. When questionnaires come back, they might be difficult to manage — sometimes vendors modify unlocked questionnaires. A question might be Y/N, but the vendor, frustrated with this limited range of response, has added a narrative answer, an answer that you’ll need to add to a spreadsheet manually.
The entire process is time consuming, frustrating and labor-intensive. So how can you speed it up?
1. Don’t let questionnaires get too long
If your organization is nervous about third party risk, you may feel an impulse to continually add additional items to the questionnaire you’re using. Some questionnaires can be hundreds(!) of questions long. Unfortunately, those additional questions aren’t helping anyone. Your vendors dread answering them, long questionnaires take longer to return, and you’re making more work for your team when those answers need to be entered into a spreadsheet later.
You also don’t want to dump a formal framework into a spreadsheet. You may base your questionnaire on a framework, but remember your goal: you’re trying to understand if your third party has implemented reasonable security controls.
To get a better idea of each vendor’s risk, consider tiering them by risk, and creating specific questionnaires for each risk level to ensure that you’re appropriately (and efficiently) assessing each vendor.
2. Go beyond Y/N
It may make sense – from your teams’ standpoint — to require Y/N answers. These are quick answers to give, and easy to enter into a spreadsheet. However, they also tend to frustrate the vendors, who may not feel that a yes or no will adequately answer a question.
This may lead them to send your team their own questions to clarify how they should answer, send additional documents, or modify your questionnaire so they can answer more accurately. All of these things mean time spent answering questions, pulling narrative answers out of a questionnaire not designed to support them, or sifting through additional information.
Instead offer N/S (not applicable) as an answer, and allow your third parties provide comments, and collaborate with the right stakeholder for each answer. That way the comments are built in, and your vendors won’t have to pause mid-questionnaire and ask your team questions, and you’ll be able to work together on a collaborative platform instead of sending questions and questionnaires back and forth.
3. Automate the process
It takes a long time to manually process questionnaires. If you’re sending your questionnaires by email and managing the answers in Excel spreadsheets, it may be time for a change. Consider an automated tool that can streamline the process.
An automated platform can give your vendors a way to easily log in, answer questions, provide evidence and ask you clarifying questions in a collaborative environment. It also gives you a quick way to track their answers and discuss any security issues or remediation with them.
The best part about an automated tool is that it handles the repetitive tasks of sending out questions and collecting answers for you. Remember: the less time you can spend on data collection, the more time you can spend on the task that matters: working with third parties to mitigate risks.
4. Use external data to verify answers
One you’ve collected data from your third parties, it’s time to verify and validate their answers. While it’s standard to use internal data to verify, you should also be using external data, like chatter on the dark web, or any credentials from your vendors that appear to have been leaked online.
An automated platform can scan the internet continuously for issues, comparing its findings to the vendors’ answers on questionnaires. Then, once issues are identified, it will help you notify your vendor about problems if they aren’t already aware of them.
5. Rethink the annual questionnaire
You’re probably sending out questionnaires on a fixed schedule and potentially sending all vendors questionnaires at the same time, regardless of their risk level. But there’s a problem with this traditional approach — not only does that mean that once a year (or once every six months, depending on your schedule) you’re going through the process of sending questionnaires manually — you’re also getting a static snapshot of your third parties’ security controls.
But what if, instead of assessing your vendors every year, you were able to get a window into their controls whenever you needed it? What if you were notified whenever a vendor fell out of compliance? An automated platform can let you know about changes to your third parties’ security ratings, so you can act immediately, getting in touch with vendors and working with them to remediate any security problems.
Tiering your vendors by risk can also help you schedule questionnaires — high risk third parties should be assessed more often, while lower risk third parties may not need to be assessed as much.
How SecurityScorecard can help
SecurityScorecard’s Atlas is a smart tool that speeds up the questionnaire and evidence exchange process. How? Atlas’s platform allows you to easily manage and send questionnaires, and lets your vendors log in and quickly complete them in the same secure location. Because you’re working on the same collaborative platform, you can easily review, discuss, and send back questionnaires, and your vendors can upload their evidence in the same location.
Atlas’ Smart Mapping Engine also automatically aligns questionnaire responses with SecurityScorecard Ratings, giving organizations an instant 360° view of any vendor’s cybersecurity risk and enabling them to validate the accuracy of responses, eliminating the busywork that traditionally accompanies vendor risk management programs.