Vendor Risk Management (VRM) Best Practices

By Jeff Aldorisio

Posted on Oct 15, 2018

Protecting cyber assets is a daunting task, even for the most seasoned cyber security team. Moreover, many companies outsource day-to-day business functions to third-party companies who in turn often outsource to other 3rd party companies creating a vast digital footprint that requires cyber protection and monitoring. Managing cyber security risks in the supply chain or vendor network requires relationship management more than ever.

Significant growth of outsourced IT poses increased risk

The Software as a Service (SaaS) model has seen a dramatic rise which has introduced new cyber security challenges for businesses. According to the Harvey Nash/KPMG 2018 CIO Survey, almost 75% of respondents reported a moderate or significant investment in cloud infrastructure. Many businesses already outsource critical business services such as human resources, billing, finance, customer relationship management (CRM), and enterprise resource planning (ERP). Although these services may be convenient to businesses, they complicate the vendor risk management process by introducing networks not owned by the business. As you add more vendors, you also add their vendors. To manage your vendor supply chain, you need to establish a vendor risk management program that incorporates metrics for vendor performance.

Lack of experienced cyber security staff poses increased business risk

The depth and breadth of information security controls required by a business often require a significant team of qualified cyber security staff. Unfortunately, the supply of qualified people has not kept up with demand. In May 2018, the National Institute of Standards and Technologies (NIST) released a report detailing the limited supply of cyber security professionals compared to the demand for them. Additionally, the lack of cyber security educators indicates that the current skills gap will likely widen. The cyber security skills gap in conjunction with the increasing complexities third-party partner companies bring to your ecosystem make vendor management a continually evolving process.

Four vendor risk management best practices

1. Risk assess individual vendors

Each vendor provides a different service that enables your business. Starting by categorizing vendors allows you to determine which ones pose the highest risk based on the information and systems they access. However, since vendors bring their third-parties with them, you need to assess individual vendors based on the risk their supply chain poses.

2. Define vendor performance metrics

If you’re planning to engage in a long-term relationship with a vendor, you need to make sure that you define key performance indicators (KPIs) that govern the relationship. Your vendor IT’s important to you since their risks become your risks. While defining KPIs for product delivery is easy, defining them for cyber security is more complicated.

3. Create clear vendor contracts

Your contracts need to clearly define your risk tolerance. Using the KPIs you establish, you can define metrics for terminating the relationship. If your vendor doesn’t secure their environment and ecosystem after the contract is signed, you need to have a way out that protects you.

4. Establish a clear line of communication

With your vendors bringing their vendors along with them, you also need to establish a clear line of communication down your supply chain. One fourth-party data breach can ruin your business by leaving you responsible for your customers’ information being stolen.

Leverage automated and intelligent VRM solutions

Managing one’s cyber security posture is hard enough. Ensuring that effective security measures are in place across an ecosystem of vendor or supply chains was near impossible until the recent emergence of automated and intelligent cyber security VRM solutions.  

SecurityScorecard helps businesses understand vendor or supply chain cyber security risk across ten important risk factor areas. The solution helps businesses establish categories of risk and vendor performance KPIs. Additionally, they can risk review individual vendors in their ecosystem as well as individual members of the supply using a common and consistent cyber security rating system. The easy-to-navigate platform and easy-to-understand cyber security ratings help manage the cyber security skills gap in a vendor management program while also enabling a company to engage in independent oversight should the line of communication fail.

No waiting, 100% Free

Get your personalized scorecard today

Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.

Get Your Free Score

Get In Touch

Thank you for contacting us!