When tasked with working in a modern technology-driven industry you will undoubtedly find that your company is not large enough to facilitate all the needs that your customers and employees require. This is true for almost any company now, and the easiest way to address this issue is to hire outside assistance via a vendor.
In the past, that meant you had a choice of some basic vendor service providers, such as facilities management or catering, as well as major service providers such as telecommunications, shipping, and office suppliers.
In contrast, today’s companies must be more nimble, offering a larger number of customer and employee services from vendors that improve operations, reduce costs, and increase business efficiency. Vendors may help drive new sources of revenue or improve functional areas of business deficiency.
With the advent and adoption of cloud services and Software as a Service (SaaS), vendors now offer a wider range of products including: high-quality employee benefits, internal IT support, product development, outsourced IT infrastructure such as Amazon Web Services, online meeting and video conference services, and many others.
The explosion of offerings makes vendor management a critical aspect of a corporation. Vendor management is complex and risky, and requires the vendor manager to be more flexible and proactive than ever to be successful. Vendor risk exists especially in situations where the security practices of your third party vendors are being targeted by attackers to reach a company’s systems.
It would be impossible to list and describe all the tools a manager would need to run a well-rounded vendor management program. Instead, here is a small list of five key vendor management tools one must possess to address the most common everyday problems of vendor risk management with sample links to point you in the right direction.
1. Template resources
A solid archive of finished sample templates for any occasion is critical for success in this field. Standing on the shoulders of those who came before you will allow you to start from a much closer point to the finish line, and let you focus on the aspects that are relevant to your company, rather than the mundane (legal language, proofing, etc.).
Ideally, you start out with a general template you found from a trusted source, such as privacy.us. As you use the templates, you will slowly build up an internal company repository that covers your company’s internal needs in more detail.
2. Risk management frameworks
Chances are that if you are working for any company that needs vendors, you are also regulated on some level to ensure you are in compliance with the law. Every regulated industry has a list of best practices, and you, as the manager should use these lists to guide your department’s actions.
For example, if your organization is in banking, start by looking at the GLBA framework requirements from FFIEC. Don’t forget that the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO) also have a lot of excellent insight and detail.
3. Automated vendor risk tools for third parties
Bringing in outside vendor tracking services that will alert you if your providers are having problems is a wise idea. While your vendors may be a great business fit for your organization, the systems and technology they use may have security and risk issues that is hard to know about because obtaining this information takes time.
A third party vendor may not be willing to talk in detail about its security details without an audit. Even then, the information in the audit may only be a single point in time.
How do you keep track of a risk at a company you have little to no visibility into?
Hire a company that provides you routine reports of your service providers and their recent activity to give you a real-time picture to go along with your long-term vendor risk assessment.
Tip for SecurityScorecard Customers: Type in your vendors website URL into the platform to retrieve detailed security-risk information instantly, without intruding on your vendor’s system.
4. Vendor inventory tracking
Can you provide a list of all vendors doing business with your company?
A mature company has to have such a list available, and must have their vendors ranked by risk and criticality.
Let’s take that question a step further, and ask can you provide a list of all vendors that have direct Internet access to your internal network at this moment?
If you answered ‘yes’ to the first question, and ‘maybe’ to the second one, you are doing better than some companies.
The fourth vendor management tool on our list is a Vendor Management Systems (VMS) tool. Used to keep track of all interactions with your vendors, it allows you to create your own library of all past work performed and create detailed relationship profiles for future work needed. These tools can be found in the cloud, so deployment and administration efforts can be dramatically reduced.
5. Google
The great master-tool of the Internet is the go-to tool for any vendor selection and research project. Perform due diligence on your vendors by details on their own site, or by name at other sites. It might be useful to know, for example, if an accounting firm you are considering to hire was involved in a breach a few months back.
Some of the basic steps to selecting vendors include:
- Looking up what people are saying about them
- Reading about their staff and services
- Who they partner with
- What history they have from a security perspective
“>