Continuous monitoring of 3rd-party vendors has become increasingly important – no surprise here. So, what should you do when a vendor’s security rating isn’t up to your risk management standards? What if they are showing inadequate security controls or a lack of good documentation on their program? Despite the cries from your procurement or business unit teams, you’re not trying to “veto” the vendor. In fact, security ratings eliminate that friction with internal teams by providing an objective risk assessment; helping the business onboard their vendor faster, while achieving the risk controls you need. Your vendors and other third-parties in your ecosystem factor into your exposure.
How do you engage these partners to participate?
“Can we count on your support?”
Consider the situation when you look up a vendor and find they have a low score – let’s call it a “D” in SecurityScorecard’s simple A-F security ratings structure. That vendor is over 7-times more likely to be breached than another vendor with a better rating. What action do you take? Start by verifying that this vendor remains appropriate to engage with. Then, reviewing the findings in their rating, determine whether their low scores are related to services they provide to your business. If these risks are important to you, then they should be important to the vendor, as well. Assuming they pass these verifications, then you want to invite that vendor to start participating in the Ratings process. Making it easy for them to join is important: so they can instantly connect to the Ratings platform, get their own security rating and start addressing high-priority issues. Should they need help, our Customer Success team can engage with them, helping them with their action plan to raise their security rating.
“We need you to comply with our standards”
Another situation could be crafting an action plan requiring a low-rated vendor to improve their score as a metric to maintain their position on your supplier list. To secure your ongoing business, they are going to want to maintain compliance. But your procurement team can’t be expected to regularly check-in and assess the vendor’s progress. You want to be able to provide the vendor with clear, actionable details for them to regain compliance. And, a cadence of reports needs to be provided to your vendor managers so they see progress – including whether the mandated remediation is addressed on schedule or if the vendor has missed the deadline.
Whether in procurement or VRM, SecurityScorecard users are able to easily invite vendors to collaborate. If a supplier isn’t already using Ratings to address their own risk, get them started by having them participate in minimizing your exposure. It starts with an email message template within the Ratings platform. Easily personalize the message, or even co-brand it – which often helps facilitate their cooperation. Finally, if your motivation is to have the vendor achieve a specific rating, you can set score expectations for clear accountability.
Security ratings and vendor performance reviews
In our recent success story, Truphone’s former CISO, Nuno Teodoro, explained: “we require our vendors [related to those services] to have a certain score to do business with us, and SecurityScorecard scores are a big part of the ongoing performance review meetings we have with those vendors.” His policy is demonstrative of what has been becoming more and more common throughout the supply chain. Risk mitigation is part of the trust and shared interest a good partner relationship is built on.
This capability is available now, so you can log in and take a look at the workflow right away. Include your partner ecosystem in your risk management initiatives. Getting them started is easy. Most importantly, it will improve your security posture, and theirs.
