KPIs & Metrics for Vendor Risk Management

Nearly every business that interacts online should have a solid cybersecurity program but measuring that solidity may be difficult. Despite increased spending, many organizations struggle to find ways of measuring the effectiveness of their vendor management programs. The last Protiviti Vendor Risk Management Benchmark Study released in November 2017 noted that while cybersecurity monitoring had increased over the previous year, a majority of companies planned to “de-risk,” or terminate, third-party relationships to reduce fourth-party risks (the main reason), costs of vendor assessment, and too little internal support and skills to sufficiently test vendors. Finding the appropriate key performance indicators (KPI) can help measure vendor performance.

Poor vendor risk decisions can have dire consequences

Establishing a KPI for vendor management is the same as establishing one for yourself. However, while you control your data environment and controls, you don’t control your vendors. No matter how sophisticated your questionnaires are, they only represent a point in time.

How to start creating KPIs for measuring vendor performance

All compliance programs begin with risk analysis and review. The first step for measuring vendor performance is to categorize the risk vendors pose to your data environment. Starting with your organizational goals, you to determine what vendors enable critical business operations. Once you categorize your vendors, you can align risk priorities with the potential business impact should a malicious actor exploit a weakness in the vendor’s environment.

To categorize your vendors, you need to ask:

• What information do they access?
• What systems do they access?
• How important are they to my continued business operations?

If the vendor accesses private information or a critical system, then they are a high risk. If you need them to maintain business operations, they are a high risk.

What are KPIs for vendor performance?

Vendor relationships begin and end with contractual obligations. Therefore, your service level agreements (SLAs) act as a primary starting point for measuring vendor performance. If you include specific metrics as part of your SLAs, you can measure how effective your vendor is as maintaining a secure environment. Some questions to consider include:

• How quickly do they resolve operational and administrative failures?
• How often is the system unavailable?
• How many times have they been breached?
• How often do they update their product?
• Do they incorporate continuous cyber security monitoring of their own environment and ecosystem?

Evaluating vendor performance with SecurityScorecard

SecurityScorecard reviews a variety of controls that help you create key performance indicators. As part of your vendor risk management program, you can align KPI categories to match SecurityScorecard’s ten groups of risk factors (network security, DNS health, patching cadence, cubit score, endpoint security, IP reputation, web application security, hacker chatter, leaked credential, and social engineering).

Once you categorize the risks, you can use the security ratings to establish metrics for measuring vendor performance. Since lower scores indicate a higher risk of breach, you can establish a minimum security rating needed to contract with the vendor as well as a tolerance that can lead to termination of the contract.

Finally, SecurityScorecard helps break the “fourth” wall. Since we scan public data across the internet, you can see into the current state of a vendor’s third-party risk. A higher security rating can be used as one independent evaluation proving a robust cybersecurity program.