Accellion, Kaseya, and Solarwinds are some of the most notable and newsworthy data breaches in recent times—and they are united by one key factor. Each was the victim of a data breach via a third-party vendor. For organizations in our digitally innovative world, it’s almost impossible to operate without outsourcing IT tasks, solutions, and services to third-party vendors. These vendors range from public cloud giants like AWS and Google to smaller vendors offering more niche services, such as IT monitoring, file transfers, or VPNs.
With vendors playing a central role in modern IT ecosystems, it’s concerning that just 40% of organizations fully understand their third-party cybersecurity risks. Security teams must get to grips with vendor security risk using a dedicated risk management strategy to address potentially gaping flaws in cybersecurity defenses.
Read on to find out what a vendor risk management (VRM) strategy is, why it’s important, and the six essentials every strategy must have to maximize its effectiveness.
What is a vendor risk management strategy?
A vendor risk management strategy is a set of processes, people, and activities that assess, monitor, and manage risk exposure from third-party vendors providing IT services and products.
Data privacy regulations like GDPR and CCPA/CPRA put agreements in place with third parties that guarantee compliance with specific rules, meaning there is further incentive to develop a properly structured vendor risk management strategy.
Examples of Third-Party Security Risks
Third-party vendors pose security risks because their products and services integrate with your IT environment and business processes. This integration may occur in various ways, including vendors that can remotely access your systems, inject third-party code in your software, and copy your data. Flaws or weaknesses in vendor security can result in direct compromises of your environment and data.
Examples of security risks that may arise from third-party IT vendors include:
- A software vendor suffers a breach, and a hacker inserts malicious code into an update that gives backdoor access to your environment.
- A third-party component (e.g., a library or framework) in your custom app contains a vulnerability that a hacker could exploit to harvest sensitive data (supply chain vulnerability).
- A rogue vendor with access to intellectual property could steal high-value information or sell it on the dark web.
Why is vendor risk management important?
VRM can significantly reduce security risks and improve your cyber risk score. But aside from cybersecurity, vendor risks also relate to business continuity and performance. For example, a company that hosts applications in the cloud has a higher likelihood of experiencing downtime if the vendor is not reputable or cannot handle the load placed on the app. If these apps are customer-facing, the knock-on impact of a potential vendor outage on a company’s reputation just adds to the risk profile. The potential for such outcomes further exemplifies the importance of taking a structured and organization-wide approach to managing vendor risks—your business operations will benefit just as much as your security teams will.
What are the vendor risk management maturity levels?
Similar to other areas of risk management, different maturity levels describe the extent to which organizations manage vendor security risks. You can use the following six-level maturity model to gauge where your organization currently stands with VRM:
- Level 0 – No vendor risk management activities in place.
- Level 1 – Ad-hoc approach to VRM that manages risk in a reactive, non-coordinated manner.
- Level 2 – You have an approved roadmap to move towards a more structured and proactive approach to VRM.
- Level 3 – You have a defined coordinated approach to manage vendor risks at this point, but a lack of enforcement or metrics hampers true risk reduction.
- Level 4 – You are fully integrated and operational with VRM, gather important metrics, and have independent oversight of the strategy.
- Level 5 – The last layer of maturity relates to organizations that work to continuously refine the visible (activities, tools) and invisible (strategy, employee-involvement) elements of their VRM approach.
6 Essentials for Your Vendor Risk Management Strategy
1. Create a Request for Proposal (RFP) Document
A request for proposal (RFP) is a handy document that helps support your purchasing decision and weed out risky vendors when procuring IT services and solutions. This document solicits offers from interested vendors, describes the scope of the service or solution required, and highlights any deliverables. You should write an RFP for most IT services you outsource, particularly those that provide access to your systems and data.
An RFP also typically outlines what’s expected in vendor proposals to show evidence of the technical and security competencies expected by the vendor. Reputable companies can show examples of existing clientele, relevant experience, and certifications to prove their competency.
2. Assign Each Vendor a Risk Rating
A vendor risk review or risk assessment is a formal attempt to quantify the risks associated with vendors, whether current or prospective. These scores make it easier to compare vendors. When a vendor scores a high-risk rating, this is a strong sign that you should consider alternatives.
Since there is no objective way to rate the risk of a vendor, it’s useful to stick with a simple approach. While there are solutions that automate the process of vendor risk scoring, you could also take a weighted average of the answers to a specific questionnaire to rate vendor risk.
3. Identify Their Security Protocols
Identifying the vendor’s security protocols lets you assess the risks to your systems, apps, or data more accurately. The security tools and processes to look out for will differ depending on how the specific solution or code interacts with your current environment.
Aside from asking for this information directly, it’s often available in the documentation, marketing collateral, and website pages. Look for companies that prioritize security using DevSecOps tools and approaches, encryption for data in rest and in motion, network monitoring, security testing throughout the SDLC, etc. If compliance with particular frameworks or regulations is vital in your industry, determine whether the vendor ensures you stay compliant with the relevant rules.
4. Create an Ongoing Evaluation Process
It’s not enough to just evaluate vendor risks at a single point. An ongoing evaluation process accounts for the fact that risk levels can change over time and ensures you properly vet all vendors before you enter into contracts with them.
Central to this ongoing evaluation is gathering useful sources of intelligence about vendor risk, including:
- Company press releases about financial news or layoffs.
- Tech review sites like G2 and Capterra.
- The dark web (where vendors might get name-checked as part of a data dump/breach).
- Job review sites where employee comments may indicate levels of risk that you previously didn’t know about.
5. Assess Vendors’ Access to Sensitive Information
A breach of sensitive information is a costly event for any business. Much of the increased attention around vendor risk stems from large-scale data breaches affecting governments, organizations, and citizens alike.
For this reason, it’s critical to assess where sensitive data flows in your IT ecosystem, how much access a vendor should have for their particular service or function, and how much access current vendors have now. If discrepancies arise between actual access and necessary access, you can address these gaps in alignment with least privilege access principles.
6. Plan What Questions You’ll Ask Potential Vendors
With the risk (and costs) involved in entering into a contract with any IT vendor, it’s advisable and reasonable to ask for more granular information to help you better determine risk. These questions can take the form of a repeatable questionnaire that you send to each potential vendor, or you can ask questions during sales/negotiation calls.
The point is that you should always plan what you want to ask ahead of time. These questions could relate to whether the vendor has a cybersecurity training and awareness program in place, how the vendor handles breaches and notifies you about those breaches, what code/software security guidelines and approaches are used, and more.
Why VRM Needs Software Supply Chain Visibility
Companies today must pay attention to vendor risk management. Developing a cohesive, strategic approach starts with recognizing that third-party vendors pose high-priority risks and knowing the essentials to include in VRM.
Modern apps are a complex hybrid of components developed in-house and sourced from third parties, further complicating vendor risk management. Security teams often lack true visibility into the entire software supply chain, making it difficult to assess the full extent of exposure and risk.
To strengthen your VRM strategy, it’s essential to prioritize tools and processes that provide end-to-end visibility across the development pipeline. Implementing methods like a pipeline bill of materials (PBOM), maintaining accurate vendor inventories, and integrating security across the SDLC can help ensure the integrity and security of your software supply chain—regardless of the mix of tools and vendors involved.
