Vendor Risk Management (VRM) Best Practices

By Jeff Aldorisio

Posted on Apr 1, 2020

Protecting cyber assets is a daunting task, even for the most seasoned cybersecurity team. Moreover, many companies outsource day-to-day business functions to third-party companies who in turn often outsource to other 3rd party companies creating a vast digital footprint that requires cyber protection and monitoring. Managing cybersecurity risks in the supply chain or vendor network requires relationship management more than ever.

Why is vendor risk management necessary?

The Software as a Service (SaaS) model has seen a dramatic rise which has introduced new cybersecurity challenges for businesses. According to the Harvey Nash/KPMG 2018 CIO Survey, almost 75% of respondents reported a moderate or significant investment in cloud infrastructure. Many businesses already outsource critical business services such as human resources, billing, finance, customer relationship management (CRM), and enterprise resource planning (ERP). Although these services may be convenient to businesses, they complicate the vendor risk management process by introducing networks not owned by the business. As you add more vendors, you also add their vendors. To manage your vendor supply chain, you need to establish a vendor risk management program that incorporates metrics for vendor performance.

Lack of experienced cybersecurity staff poses an increased business risk

The depth and breadth of information security controls required by a business often require a significant team of qualified cybersecurity staff. Unfortunately, the supply of qualified people has not kept up with demand. In May 2018, the National Institute of Standards and Technologies (NIST) released a report detailing the limited supply of cybersecurity professionals compared to the demand for them. Additionally, the lack of cybersecurity educators indicates that the current skills gap will likely widen. The cybersecurity skills gap in conjunction with the increasing complexities third-party partner companies bring to your ecosystem makes vendor management a continually evolving process.

7 vendor risk management best practices

Vendor risk assessments give you an in-depth understanding of any potential risks posed by each of your vendor relationships. Here are some vendor risk management best practices to implement:

1. Risk assess individual vendors

Each vendor provides a different service that enables your business. Starting by categorizing vendors allows you to determine which ones pose the highest risk based on the information and systems they access. However, since vendors bring their third parties with them, you need to assess individual vendors based on the risk their supply chain poses.

2. Define vendor performance metrics

If you’re planning to engage in a long-term relationship with a vendor, you need to make sure that you define key performance indicators (KPIs) that govern the relationship. Your vendor IT’s important to you since their risks become your risks. While defining KPIs for product delivery is easy, defining them for cybersecurity is more complicated.

3. Create robust vendor contracts

Your contracts need to clearly define your risk tolerance. Using the KPIs you establish, you can define metrics for terminating the relationship. If your vendor doesn’t secure their environment and ecosystem after the contract is signed, you need to have a way out that protects you.

4. Establish a clear line of communication

With your vendors bringing their vendors along with them, you also need to establish a clear line of communication down your supply chain. One fourth-party data breach can ruin your business by leaving you responsible for your customers’ information being stolen.

5. Assess vendor relationships at the product or service level

To gain an in-depth understanding of all risks posed by a third party, you must complete a risk assessment on each individual product or service used, in addition to your overall vendor risk assessment. A vendor risk management questionnaire provides you with the questions you need to ask to properly understand each aspect of your vendor’s cybersecurity environment.

6. Keep the Board and senior management team informed

Notify the Board and senior management team when you change or add vendors to your supplier mix and when you encounter any critical risk as a result of a third-party relationship. Communicating with the Board and senior management team can be daunting, but it is vital for organizations to ensure that the appropriate people are involved in the vendor management process. Keeping the appropriate people informed helps when it comes to allocating resources and protecting the organization at large from any future vulnerabilities.

7. Know if your vendors have direct network access

It’s important to know what kinds of data your vendors have access to and whether each vendor has direct access to your network. If your vendors have direct access to your network, or a higher level of access than is appropriate, you must be able to manage and control that access. Vendors should only have access to the information that they need to perform their job duties.

How SecurityScorecard can help

Managing one’s cybersecurity posture is hard enough. Ensuring that effective security measures are in place across an ecosystem of vendors or supply chains was near impossible until the recent emergence of automated and intelligent cybersecurity VRM solutions.

SecurityScorecard helps businesses understand vendor or supply chain cybersecurity risk across ten important risk factor areas. The solution helps businesses establish categories of risk and vendor performance KPIs. Additionally, they can review individual vendors in their ecosystem as well as individual members of the supply using a common and consistent cybersecurity rating system. The easy-to-navigate platform and easy-to-understand cybersecurity ratings help manage the cybersecurity skills gap in a vendor management program while also enabling a company to engage in independent oversight should the line of communication fail.

No waiting, 100% Free

Get your personalized scorecard today

Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.

Get Your Free Score

Get In Touch

Thank you for contacting us!