One Size Does NOT Fit All. A Vendor Risk Dilemma.

Vendor Risk Management is an interesting space. Everyone does it differently, there is no right or wrong and vendors exist in a wide range of services. When building or operating a Vendor Risk program, it at least means you have identified one thing: using third-party vendors comes with some level of risk to your business. A survey conducted by Gartner found that out of 100 executives surveyed, 84% indicated that a third-party risk “miss” resulted in operations disruptions. Despite this, reliance on third-party vendors remains at a high with the work being shared and collaboration being essential to the business’ success. So how do we properly secure these vendors and ensure that we do not have a business operations impact when the vendor landscape is so vast?

Third-party vendors come in many shapes and sizes. Some are niche and only provide one specific service. They may have a small number of employees and a small facility or be totally remote. Other vendors are quite large and have hundreds to thousands of employees, offer a wide range of services, and work across many industries. No company is alike, and each has its own policies, procedures, and values that make it different.

So where do we start?

Step 1: Identify What Is High Risk

The first step comes with figuring out what is considered high risk to your company. Is it financial assets? Is it content that is being created? Is it blueprints? Every company has risk but what that risk is will vary. Risk is often tied to financial impacts; products that create revenue, ideas that generate buzz, etc. However, they can also often be reputation-focused; Personally Identifiable Information (PII) that could cause a lawsuit, a movie getting leaked and posted online, or private emails getting released. Risk comes in many different forms and levels. But starting by understanding what is considered high risk to your company will help you to continue to step two.

Step 2: Who Handles High-Risk Content?

According to the Deloitte Global third-party risk management survey 2022, 55% of survey respondents indicated they segment their third-parties based on those that present the highest risk to their company. Understanding what type of vendors handle your high-risk content is crucial to any vendor risk program. This is the stage where you evaluate the service offerings of your various vendors in the pool and determine which services may require more attention than others. If you do not know where your highest risk lies, then you do not know where to focus your assessment efforts.

Step 3: Control Mapping

Once you know which types of vendors present the biggest security risks to your company, step three is where the rubber hits the road, control mapping. Control mapping is the concept of mapping your Security Controls to the services a vendor offers to determine what controls affect what type of vendors. For example, you may say photo IDs are required for a company that has 100 employees, but maybe it is not required for a company with only five employees, or you may have a policy that all vendor employees should be under an NDA with their own company and that applies to everyone no matter the service. Maybe you want to be more stringent with a vendor who is providing legal services as opposed to someone providing catering services. Control mapping allows you to customize your assessments for the type of vendors you are working with. It gives the vendor a custom-tailored assessment of their services and gives the assessor guidance on what is in scope and what is not. This allows the focus to be where the risk lies.

Start helps companies tailor these assessments every day. Controls pull into assessment reports automatically and are driven off of a control mapping that companies come up with based on what their needs are. Everyone measures risk differently; it is not a one size fits all. The same applies to your vendors. Every vendor is different both in size and services, yet these services help businesses thrive and be successful. The results of security misses can be detrimental to operations, finances, and especially reputation when things go wrong. But through collaboration and an understanding of your vendor’s company, a secure relationship is always possible. Talk to our team of experts to learn how to help your vendors not only meet but exceed your security controls with a customized assessment through Start.

Suggested For You

6 Ways to Streamline Remediation Efforts with Start

Achieving third-party compliance as part of your Third-Party Risk Management (TPRM) program is never an easy feat. Many companies have standards that they hold their third-party partners to, however it can often be a challenge to get those third-parties to make the compliance changes required in order to do business. In this article, we outline […]

5 Challenges of Third-Party Risk Management and How to Overcome Them in 2024

In the course of performing security assessments for our clients, we came to the realization that many were struggling with the sheer volume of assessments they were being asked to perform. More assessments means more data, and handling a lot of data at once that lives between spreadsheets and emails can be chaotic and leads […]

person reviewing documents

Vendor Relationship Management: 5 Ways To Involve Stakeholders

Are you struggling to coordinate efforts between the security team and business stakeholders? Vendor relationship management is a crucial component in the assessment process. Business units see security teams as red tape, causing delays and getting in the way of business overall. Yet, business stakeholders are often essential to helping security teams move swiftly and […]

To top