What is Vendor Tiering? Tips to Improve Your Vendor Risk Management

Over the last few years, supply chain attacks have increased in number and sophistication. As companies accelerate their digital transformation strategies, managing third and fourth-party risk and a complete look into their security posture becomes more important to securing data and meeting mission-critical compliance requirements.

According to one survey, 60% of security leaders plan to deploy supply chain security measures in 2022. Improving vendor risk management through vendor tiering enables organizations to engage in data-driven decision-making for enhanced cyber resilience.

What is vendor tiering?

Different vendors pose different levels of risk to an organization. Vendor tiering addresses this by identifying, analyzing, and classifying vendors based on the following:

• Criticality to business operations

• Sensitivity of data the vendor collects, stores, or processes

• Regulatory compliance requirements for the vendor and/or data category

• Access to the organization’s systems and networks

Consider the following examples of vendors who pose different levels of risk:

• Corporate website host: Limited access to sensitive information, may need to comply with General Data Protection Regulation (GDPR), downtime has limited a impact on business operations

• Accounting application: Processes cardholder data, must comply with the Payment Card Industry Data Security Standard (PCI DSS), limited downtime may not harm business operations

• Human resources application: Processes personally identifiable information (PII), connects with corporate systems like Identity and Access Management (IAM) tools, downtime can have a significant impact on business operations

As you can see, in every example, each vendor poses a cybersecurity risk, but the level of severity differs for each. Here are a few methods to manage and rank the kinds of risks associated with third-party vendors.

Manual tiering

Manual tiering leverages an internal team member’s experience and knowledge to determine each vendor’s risk level. This process enables qualitative insights like:

• Vendor reputation

• Internal business processes

• Past experience with the vendor

At the same time, manual tiering also brings personal bias into the review, limiting its efficacy. Also, if the person responsible for manual tiering leaves the company, this knowledge leaves with them, leaving you with inconsistent processes.

Questionnaire-based tiering

Questionnaire-based tiering enables a company to use vendor risk assessment responses during the categorization process. With this process, the organization moves towards a data-driven approach with metrics and algorithms to help define the tiers.

However, this approach relies on a vendor’s view of their security, meaning that it comes with a different set of limitations like:

• Incomplete responses

• Lack of respondent knowledge

• Inability to verify the self-assessment responses

To overcome these limitations, a company should also incorporate some qualitative review that enables it to make changes based on research or experience.

The importance of vendor tiering

The continuously expanding attack surface complicates vendor risk management. Each new vendor also has its own set of vendors who, in turn, have their own set of vendors. The chain of connected technologies means that cybercriminals can — and often do — use even the smallest vendors within an ecosystem as part of an attack.

With vendor tiering, security teams can more effectively:

• Manage risk assessments for known vendors

• Monitor supply chain risks across the expanded attack surface

• Rapidly move new vendors through the procurement process

• Gain visibility into the organization’s overarching cybersecurity risk

How does vendor tiering help improve third-party risk management?

With vendor tiering, a company groups vendors who have similar risk profiles together to streamline monitoring for greater visibility.

Consider an organization with 100 vendors. Without tiering, the security team is continuously monitoring and reviewing alerts for each vendor. This process becomes unsustainable, increasing security risk and time spent investigating alerts.

With vendor tiering, the security team may end up with five high-risk vendors who need daily review, ten medium-risk vendors who require weekly review, and eighty-five low-risk vendors who require monthly review.

Since the security team knows how to allocate its resources, it can efficiently monitor the five high-risk vendors and more effectively respond to new threats without compromising security.

Best practices for vendor tiering

For many security teams, the vendor tiering process can feel daunting. Once they have a complete vendor list, they can engage in the initial vendor tiering assessment. However, after engaging in that process, the security team needs to maintain, document, and operationalize its vendor tiering.

Here are 4 best practices to follow throughout your vendor tiering process:

1. Evaluate security posture

The initial risk classification needs to incorporate business criticality and the vendor security posture. The evaluation also needs visibility into and validation of responses to questionnaires.

During this step, the security team should:

• Review vendor-supplied security questionnaires

• Leverage external monitoring to support vendor responses

• Research whether the vendor reported any data breaches or security incidents

2. Continuously monitor third-party attack surface

With threats continuously evolving, all risk assessment processes are fluid, so continuously monitoring the third-party attack surface is critical. Vendors are businesses, meaning that their attack surface continues to expand as well.

Security teams need to treat their vendors’ security the same way they treat their own, including monitoring:

• Security weaknesses arising from common vulnerabilities and exposures (CVEs)

• Newly integrated public-internet facing technologies

• Threat intelligence impacting the supply chain

3. Map questionnaire answers to security frameworks

Companies need to make sure that their vendors’ security controls align with their compliance requirements. A company that provides its customers with a SOC 2 report also needs to make sure its vendors’ security matches its own security attestation.

This means that a vendor risk management team needs to know:

• What security frameworks the organization uses

• What regulations the company must comply with

• Map vendor security controls across both of these

• Review questionnaires annually

• Update mappings accordingly

4. Establish expectations

Finally, companies need to make sure that they incorporate security posture into any contracts they have. As part of establishing service level agreements (SLAs), companies should make sure that their vendors:

• Know the security expectations

• Maintain appropriate security

• Remediate issues as they arise

How SecurityScorecard can help improve vendor risk management

SecurityScorecard’s Security Ratings platform enables companies to use automation and machine learning to simplify the process of responding to questionnaires, streamline compliance, and collaborate with vendors.

Our security ratings provide an “outside-in” risk score that gives vendor risk management teams visibility into third- and fourth-party risk to validate vendor-provided questionnaires. Our centralized platform instantly validates responses, enhancing due diligence and eliminating time-consuming manual processes. Additionally, customers can communicate directly with their vendors within our secure platform for real-time responses and documentation. Request a demo today and learn how your business can start improving the security of your vendors.