Posted on Aug 13, 2015
When tasked with working in a modern technology-driven industry you will undoubtedly find that your company is not large enough to facilitate all the needs that your customers and employees require. This is true for almost any company now, and the easiest way to address this issue is to hire outside assistance via a vendor.
In the past, that meant you had a choice of some basic vendor service providers, such as facilities management or catering, as well as major service providers such as telecommunications, shipping, and office suppliers.
In contrast, today’s companies must be more nimble, offering a larger number of customer and employee services from vendors that improve operations, reduce costs, and increase business efficiency. Vendors may help drive new sources of revenue or improve functional areas of business deficiency.
With the advent and adoption of cloud services and Software as a Service (SaaS), vendors now offer a wider range of products including: high-quality employee benefits, internal IT support, product development, outsourced IT infrastructure such as Amazon Web Services, online meeting and video conference services, and many others.
The explosion of offerings makes vendor management a critical aspect of a corporation. Vendor management is complex and risky, and requires the vendor manager to be more flexible and proactive than ever to be successful. Vendor risk exists especially in situations where the security practices of your third party vendors are being targeted by attackers to reach a company’s systems.
It would be impossible to list and describe all the tools a manager would need to run a well-rounded vendor management program. Instead, here is a small list of five key vendor management tools one must possess to address the most common everyday problems of vendor risk management with sample links to point you in the right direction.
A solid archive of finished sample templates for any occasion is critical for success in this field. Standing on the shoulders of those who came before you will allow you to start from a much closer point to the finish line, and let you focus on the aspects that are relevant to your company, rather than the mundane (legal language, proofing, etc.).
Ideally, you start out with a general template you found from a trusted source, such as privacy.us. As you use the templates, you will slowly build up an internal company repository that covers your company’s internal needs in more detail.
Chances are that if you are working for any company that needs vendors, you are also regulated on some level to ensure you are in compliance with the law. Every regulated industry has a list of best practices, and you, as the manager should use these lists to guide your department’s actions.
For example, if your organization is in banking, start by looking at the GLBA framework requirements from FFIEC. Don’t forget that the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO) also have a lot of excellent insight and detail.
Bringing in outside vendor tracking services that will alert you if your providers are having problems is a wise idea. While your vendors may be a great business fit for your organization, the systems and technology they use may have security and risk issues that is hard to know about because obtaining this information takes time.
A third party vendor may not be willing to talk in detail about its security details without an audit. Even then, the information in the audit may only be a single point in time.
Hire a company that provides you routine reports of your service providers and their recent activity to give you a real-time picture to go along with your long-term vendor risk assessment.
Tip for SecurityScorecard Customers: Type in your vendors website URL into the platform to retrieve detailed security-risk information instantly, without intruding on your vendor’s system.
Can you provide a list of all vendors doing business with your company?
A mature company has to have such a list available, and must have their vendors ranked by risk and criticality.
Let’s take that question a step further, and ask can you provide a list of all vendors that have direct Internet access to your internal network at this moment?
If you answered 'yes' to the first question, and 'maybe' to the second one, you are doing better than some companies.
The fourth vendor management tool on our list is a Vendor Management Systems (VMS) tool. Used to keep track of all interactions with your vendors, it allows you to create your own library of all past work performed and create detailed relationship profiles for future work needed. These tools can be found in the cloud, so deployment and administration efforts can be dramatically reduced.
The great master-tool of the Internet is the go-to tool for any vendor selection and research project. Perform due diligence on your vendors by details on their own site, or by name at other sites. It might be useful to know, for example, if an accounting firm you are considering to hire was involved in a breach a few months back.
Some of the basic steps to selecting vendors include:
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.