“You can’t manage what you can’t measure,” Peter Drucker, the father of modern business management is famously quoted as saying. While there are many areas in business and in life where this quote can apply, it is especially pertinent to managing vendor cyber risk.
While the world has unprecedented access to data than ever before, it’s turning that data into actionable insights that’s important. When monitoring vendor cyber risk, it is critical for relevant stakeholders to comprehend the information being presented so they can make educated decisions going forward.
What is Vendor Risk Management?
Vendor risk management is the process of identifying, prioritizing and mitigating different types of inherent risk in vendors or third parties. Also known as third-party risk management, it is essential when the cybersecurity and regulatory landscape evolve rapidly along with changes to an organization’s IT and infrastructure. Since many organizations are responsible for managing the risk of hundreds or thousands of risks posed to them at any time, many employ tools and processes to help them such as security questionnaires, attack surface management and third-party security risk platforms.
What Should Your Vendor Risk Management Reports Evaluate?
When assessing your third parties, it is important to consider the following questions:
- Which vendors pose the highest risk to my organization?
- What issues does the vendor need to address for me to work with them?
- Which vendors are impacted by specific vulnerabilities?
- Should I approve or reject this vendor?
To achieve this, it behooves you to make sure that you are gathering the appropriate data that will yield the greatest insights. The following six reports will provide relevant information and actionable insights into managing vendor cyber risk:
1. Operational and Monitoring Report
What it is:
This report provides you with an overview of all your third parties. It tells you where vendors stand in the approval process (accepted, rejected, pending). It also tracks the status of vendors whose questionnaires have expired and suppliers whose remediation plans are open.
Why it’s important:
With this report, you have a clear “to do list” as it relates to managing your vendors’ cyber risk. In addition, it provides data about how many suppliers you are adding on a monthly basis.
2. CVE Investigation Report
What it is:
This report includes a list of companies in your portfolio that were recognized as being affected by CVEs (Common Vulnerabilities and Exposures), including new critical CVEs that potentially impact your vendors.
Why it’s important:
Staying on top of new critical CVEs that may affect your third parties is essential. With this knowledge, you can notify relevant vendors to remediate the vulnerability or mitigate your connection with vendors by implementing security controls.
3. Fourth-Party Investigation Report
What it is:
This report helps you understand your vendors’ vendors, or your fourth parties. While they are not contractually connected to your organization, they are connected to your organization’s third parties.
Why it’s important:
You must know your fourth parties because of the new potential threat they pose to your company. Fourth parties can infiltrate your company’s data through your third-party vendor. In instances of a specific breach, (i.e. SolarWinds), this report also enables you to check if your vendors work with a third party who experienced that breach so you can take precautions if necessary.
4. Board Report
What it is:
This report displays the security posture scores of all third parties in your organization as well as statistics of accepted, rejected and pending suppliers. This data explains the potential risks posed by doing business with specific vendors by including a complete overview of ratings, questionnaire status, geolocation, business impact and more.
Why it’s important:
This report essentially shows your board that security risk is not an IT risk, but a business risk. With this in mind, your board can make informed decisions about working with a vendor. This is especially useful when there is a debate about whether or not to use a third party and the risks associated with that selection. In addition, this report provides a high level status of third-party security risk within your organization and delineates critical information for your board such as the number of vendors, trends and security incidents.
5. Supplier Comparison Report
What it is:
This report lists comparative security information about suppliers, such as how a vendor rates in different cyber posture categories (web server, mail server, application security), as well as how they rate in questionnaire categories.
Why it’s important?
This enables you to compare similar vendors side by side, which is useful for determining adherence to organizational standards and regulatory requirements (such as GDPR, CCPA and HIPAA) and for selecting vendors for RFPs.
6. Supplier Mapping Report
What it is:
This report helps you understand what type of information you share with your vendors. It also analyzes which departments are adding the most vendors, as well as other relevant mapping information based on your organizational needs.
Why it’s important:
Having easy access to organized data such as a report containing PII, PHI and other proprietary information will help you quickly and effortlessly understand which third parties are complying with your organizational standards and regulatory requirements and which are not.
Creating the right reports facilitates greater visibility of vendor risk in a manner that is relevant, concise and understandable. When security risk information is presented in this fashion, it becomes easier to manage, mitigate and remediate cyber risk, reduce breaches, ensure vendor compliance and improve your security across the board.
How Panorays Helps You Manage Third-Party Risk
With a combined approach of AI-powered cybersecurity questionnaires customized to each customer according to context and external attack surface assessments, Panorays gives you a regulator cyber rating of all of your third parties, suppliers, outsourced services, agencies and vendors. At the same time, it maps your digital supply chain ecosystems to identify third, fourth, fifth and n-th parties, delivering greater visibility of your entire third-party portfolio while pinpointing potential regulatory and security gaps. Together with continuous monitoring, this extended visibility and ability to send customized reports to stakeholders allow comprehensive vendor risk management and the effective management of third-party vendors to better defend your organization against data breaches and third-party attacks.
Want to learn more about how you can manage third-party risk across your extended digital supply chain? Sign up for a free demo today.
FAQs
-
Vendor risk management is the process of identifying, prioritizing and mitigating different types of inherent risk in vendors or third parties. Risk can be operational, financial, legal, environment, cybersecurity, reputational or related to compliance.Vendor risk management is essential in an organization that faces hundreds, and even thousands of different types of risks at any time. Security questionnaires, attack surfacing monitoring and third-party security risk tools all help organizations to scale their vendor risk management. Vendor risk management is also known as third-party risk management.
-
A high-risk vendor is one that poses a critical risk to an organization’s operations. For example, a vendor with access to sensitive, confidential or personally identifiable data (PII) poses a high risk to your organization if it is breached or fails to meet compliance. A vendor that offers you critical infrastructure poses a high risk if it suddenly fails to operate due to a natural disaster or DDoS attack. Vendors with members of their board or C-suite involved in a public scandal pose a high risk to your organization’s reputation and a legal risk. Vendors with poor security posture pose a high cybersecurity risk to your company, as they offer easier entry points for attackers to enter.
-
An example of vendor risk management is the process of continually monitoring the different changes in compliance and regulatory guidelines and evaluating whether or not each vendor has taken the steps needed to meet the new changes. For example, a payment processing vendor may have made a significant change to its infrastructure, and therefore require penetration testing according to the PCI DSS credit card regulations.