Posted on Jul 10, 2018
Nearly every business that interacts online should have a solid cybersecurity program but measuring that solidity may be difficult. Despite increased spending, many organizations struggle to find ways of measuring the effectiveness of their vendor management programs. The last Protiviti Vendor Risk Management Benchmark Study released in November 2017 noted that while cybersecurity monitoring had increased over the previous year, a majority of companies planned to “de-risk,” or terminate, third-party relationships to reduce fourth-party risks (the main reason), costs of vendor assessment, and too little internal support and skills to sufficiently test vendors. Finding the appropriate key performance indicators (KPI) can help measure vendor performance.
Establishing a KPI for vendor management is the same as establishing one for yourself. However, while you control your data environment and controls, you don’t control your vendors. No matter how sophisticated your questionnaires are, they only represent a point in time.
All compliance programs begin with risk analysis and review. The first step for measuring vendor performance is to categorize the risk vendors pose to your data environment. Starting with your organizational goals, you to determine what vendors enable critical business operations. Once you categorize your vendors, you can align risk priorities with the potential business impact should a malicious actor exploit a weakness in the vendor’s environment.
To categorize your vendors, you need to ask:
If the vendor accesses private information or a critical system, then they are a high risk. If you need them to maintain business operations, they are a high risk.
Vendor relationships begin and end with contractual obligations. Therefore, your service level agreements (SLAs) act as a primary starting point for measuring vendor performance. If you include specific metrics as part of your SLAs, you can measure how effective your vendor is as maintaining a secure environment. Some questions to consider include:
SecurityScorecard reviews a variety of controls that help you create key performance indicators. As part of your vendor risk management program, you can align KPI categories to match SecurityScorecard’s ten factors (network security, DNS health, patching cadence, cubit score, endpoint security, IP reputation, web application security, hacker chatter, leaked credential, and social engineering).
Once you categorize the risks, you can use the security ratings to establish metrics for measuring vendor performance. Since lower scores indicate a higher risk of breach, you can establish a minimum security rating needed to contract with the vendor as well as a tolerance that can lead to termination of the contract.
Finally, SecurityScorecard helps break the “fourth” wall. Since we scan public data across the internet, you can see into the current state of a vendor’s third-party risk. A higher security rating can be used as one independent evaluation proving a robust cybersecurity program.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.