Over the last few years, supply chain attacks have increased in number and sophistication. As companies accelerate their digital transformation strategies, managing third and fourth-party risk and a complete look into their security posture becomes more important to securing data and meeting mission-critical compliance requirements.
According to one survey, 60% of security leaders plan to deploy supply chain security measures in 2022. Improving vendor risk management through vendor tiering enables organizations to engage in data-driven decision-making for enhanced cyber resilience.
What is vendor tiering?
Different vendors pose different levels of risk to an organization. Vendor tiering addresses this by identifying, analyzing, and classifying vendors based on the following:
Criticality to business operations
Sensitivity of data the vendor collects, stores, or processes
Regulatory compliance requirements for the vendor and/or data category
Access to the organization’s systems and networks
Consider the following examples of vendors who pose different levels of risk:
Corporate website host: Limited access to sensitive information, may need to comply with General Data Protection Regulation (GDPR), downtime has limited a impact on business operations
Accounting application: Processes cardholder data, must comply with the Payment Card Industry Data Security Standard (PCI DSS), limited downtime may not harm business operations
Human resources application: Processes personally identifiable information (PII), connects with corporate systems like Identity and Access Management (IAM) tools, downtime can have a significant impact on business operations
As you can see, in every example, each vendor poses a cybersecurity risk, but the level of severity differs for each. Here are a few methods to manage and rank the kinds of risks associated with third-party vendors.
Manual tiering
Manual tiering leverages an internal team member’s experience and knowledge to determine each vendor’s risk level. This process enables qualitative insights like:
Vendor reputation
Internal business processes
Past experience with the vendor
At the same time, manual tiering also brings personal bias into the review, limiting its efficacy. Also, if the person responsible for manual tiering leaves the company, this knowledge leaves with them, leaving you with inconsistent processes.
Questionnaire-based tiering
Questionnaire-based tiering enables a company to use vendor risk assessment responses during the categorization process. With this process, the organization moves towards a data-driven approach with metrics and algorithms to help define the tiers.
However, this approach relies on a vendor’s view of their security, meaning that it comes with a different set of limitations like:
Incomplete responses
Lack of respondent knowledge
Inability to verify the self-assessment responses
To overcome these limitations, a company should also incorporate some qualitative review that enables it to make changes based on research or experience.
The importance of vendor tiering
The continuously expanding attack surface complicates vendor risk management. Each new vendor also has its own set of vendors who, in turn, have their own set of vendors. The chain of connected technologies means that cybercriminals can — and often do — use even the smallest vendors within an ecosystem as part of an attack.
With vendor tiering, security teams can more effectively:
Manage risk assessments for known vendors
Monitor supply chain risks across the expanded attack surface
Rapidly move new vendors through the procurement process
Gain visibility into the organization’s overarching cybersecurity risk
How does vendor tiering help improve third-party risk management?
With vendor tiering, a company groups vendors who have similar risk profiles together to streamline monitoring for greater visibility.
Consider an organization with 100 vendors. Without tiering, the security team is continuously monitoring and reviewing alerts for each vendor. This process becomes unsustainable, increasing security risk and time spent investigating alerts.
With vendor tiering, the security team may end up with five high-risk vendors who need daily review, ten medium-risk vendors who require weekly review, and eighty-five low-risk vendors who require monthly review.
Since the security team knows how to allocate its resources, it can efficiently monitor the five high-risk vendors and more effectively respond to new threats without compromising security.
Best practices for vendor tiering
For many security teams, the vendor tiering process can feel daunting. Once they have a complete vendor list, they can engage in the initial vendor tiering assessment. However, after engaging in that process, the security team needs to maintain, document, and operationalize its vendor tiering.
Here are 4 best practices to follow throughout your vendor tiering process:
1. Evaluate security posture
The initial risk classification needs to incorporate business criticality and the vendor security posture. The evaluation also needs visibility into and validation of responses to questionnaires.
During this step, the security team should:
Review vendor-supplied security questionnaires
Leverage external monitoring to support vendor responses
Research whether the vendor reported any data breaches or security incidents
2. Continuously monitor third-party attack surface
With threats continuously evolving, all risk assessment processes are fluid, so continuously monitoring the third-party attack surface is critical. Vendors are businesses, meaning that their attack surface continues to expand as well.
Security teams need to treat their vendors’ security the same way they treat their own, including monitoring:
Security weaknesses arising from common vulnerabilities and exposures (CVEs)
Newly integrated public-internet facing technologies
Threat intelligence impacting the supply chain
3. Map questionnaire answers to security frameworks
Companies need to make sure that their vendors’ security controls align with their compliance requirements. A company that provides its customers with a SOC 2 report also needs to make sure its vendors’ security matches its own security attestation.
This means that a vendor risk management team needs to know:
What security frameworks the organization uses
What regulations the company must comply with
Map vendor security controls across both of these
Review questionnaires annually
Update mappings accordingly
4. Establish expectations
Finally, companies need to make sure that they incorporate security posture into any contracts they have. As part of establishing service level agreements (SLAs), companies should make sure that their vendors:
Know the security expectations
Maintain appropriate security
Remediate issues as they arise
How SecurityScorecard can help improve vendor risk management
SecurityScorecard’s Security Ratings platform enables companies to use automation and machine learning to simplify the process of responding to questionnaires, streamline compliance, and collaborate with vendors.
Our security ratings provide an “outside-in” risk score that gives vendor risk management teams visibility into third- and fourth-party risk to validate vendor-provided questionnaires. Our centralized platform instantly validates responses, enhancing due diligence and eliminating time-consuming manual processes. Additionally, customers can communicate directly with their vendors within our secure platform for real-time responses and documentation. Request a demo today and learn how your business can start improving the security of your vendors.
