Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
An “ideal” vendor management program is unattainable, however, picking a focus and optimizing around that focus enables you to develop an improved program that works much better in comparison than most throughout the industry.
This piece explains six key focus areas to choose from when optimizing your vendor management program, how to measure maturity around each and key pitfalls to avoid.
While the desire for an ideal vendor management program is understandable, real-world attempts to create such programs almost always fail. The reason for this is not only that every organization is different, but that each organization’s needs drive
different selections for different vendors. An organization that strategically outsources particular aspects of its business is different from an organization that strategically retains only particular aspects of its business while outsourcing all
the rest. Smaller organizations have different needs than larger organizations. Organizations differ in locality and by industry, with respectively different requirements in terms of vendor management. Instead of focusing on an ideal program, it is
usually better to focus on different ways to optimize your program.
It’s possible to build a program that includes many different areas—such as governance, risk, vendor selection, vendor monitoring, vendor retention, etc. Most organizations typically will not want to focus on all areas equally and only consider
particular aspects to when it comes to optimization. There is growing emphasis on holistic evaluations in third-party risk management. NIST’s Cybersecurity-Supply Chain Risk Management (C-SCRM) regulations set a standard for organized and purposeful management of cybersecurity risks throughout the supply chain. C-SCRM requires enterprise recognition and awareness – critical for addressing cybersecurity risks throughout the supply chain.
When optimizing around vendor capabilities, it is important to identify, ahead of time, the vendor capabilities that matter. This may involve categorizing vendors by service provided (as opposed to high, medium and low risk), or it may involve identifying
vendors on a project-by-project basis. The key to this approach is recognizing the biggest risk from a vendor is often its failure to achieve the purpose for which it was hired.
Basing a program on vendor capabilities avoids the time sink of classic “vendor risk” assessment and, instead, requires a deep knowledge of how vendors are actually used in the organization. This approach will not work well in organizations
that are heavily siloed.
Maturity benchmarks: Maturity for this optimization would largely focus on building a library of internal needs and mapping that to a library of vendor capabilities. As the program matures, work would centralize around the categorization effort and attempts
would need to be made to constantly reduce vendors to avoid vendor bloat from becoming another core risk of vendor use.
Focusing on vendor quality is similar to capabilities, but instead of asking what a vendor can do for you, ask how well the vendor is working. This subtle difference is critical when it comes to the actual measurement of vendor performance. While initial
efforts may be contract-focused, building requirements directly into the agreements over time, it will be important to develop meaningful security metrics for each key deliverable and to
build a real-time reporting system that links to operations.
This approach allows for real-time measurement and is a good fit for a high-flow rapid delivery organization. It optimizes around vendor risks that mirror the organization’s ability to execute its mission and achieve its goals. This approach also
requires that vendors be selected with specific objectives in mind, so performance can be measured.
Maturity benchmarks: Maturity for this optimization would largely focus on building a library of vendor services and a set of tests to verify whether each capability is being met. Over time, this will require deep metrics around the services the vendor
is delivering, as well as deep understanding of what the vendor should be delivering.
DOWNLOAD: Vendor Vulnerability and Remediation Policy Template
The classic optimization is to focus on the nebulous term “vendor risk.” This is not helpful, however, nor is the classic approach to lump vendors into high-, medium- and low-risk vendors. What, after all, is a high-risk vendor? Is it a vendor
that has high inherent risk based on the nature of the work it does? Is it a vendor with a high level of risk because it has high turnover? Is it a vendor that has a high number of lawsuits against it? In any of these scenarios, if you have a vendor
that meets the requirement, why do you have them at all?
No, considering vendor risk in a modern vendor management program requires an understanding of what functions the vendor performs, what the risk indicators may be for each function, and then identifying whether any such “red flag” indicators
may be present.
Maturity benchmarks: Maturity in a modern vendor risk system requires orthogonality. In other words, as you mature the process used to categorize each vendor and identify the red flags, you want to minimize overlap between flags. When the program starts,
such overlap is inevitable, but as you iterate through the process of improvement, you will start to notice that every time one flag is raised, another is usually raised with it. This indicates overlap and is a point where the program must be revised
so each flag can and does stand alone.
READ: How to Build a Third-Party Risk Management Framework
A classic optimization would be around traditional vendor governance. This practice is based on the (flawed) notion that it is possible to change how a vendor does business based on a periodic assessment by a single one of its customers. While some organizations
may have the financial power over a vendor to force change, such events are rare and limited. Nonetheless, many organizations take this approach.
In this model, you develop a standard set of questions that you run all vendors through and have a set of recommended remediations for each question the vendor answers with what is predetermined as the wrong answer.
Maturity benchmarks: As such a program matures, you will find several questions keep coming back as “not applicable.” After digging, you will find the questions cluster around business type, and the program will splinter into different question
types for each type of vendor you work with. Taking maturity to the next level, you then look at all the questions that always come back with acceptable answers and start to wonder whether it even makes sense to ask those questions.
Over time, you may find that a by-the-book approach will converge on a more modern vendor risk optimization (see Focus Area 3), but with a much higher back-end cost due to higher rigor built into the vetting approaches.
READ: Third-Party Risk Management: Guidance for InfoSec Teams
A more real-world approach to vendor governance would involve identifying those vendors over which you may have real power to drive change. These may be partners or vendors with particularly detailed contracts. They may be vendors that agree to meet a
specific standard (e.g., PCI DSS) that undergoes public revision and, therefore, drives change. The key to this optimization is to split the vendors you can drive change with from the ones you cannot and develop two different programs.
The first program involves developing a practice around working with the vendors to implement ongoing permanent and monitored change in their practices. The second program would involve developing an internal resilience program to cover the risks from
vendors that cannot and will not change. The nature of each of these programs will vary drastically and should be based on a public standard, like the Center for Internet Security Critical Security Controls Version 8,
NIST SP 800-53 Rev. 5, PCI DSS, HITRUST
Maturity benchmarks: Maturity of a real-world governance program will show itself as variance from the standard you select to base your program on. You can measure each vendor’s variance in:
Which model you use is up to you, but the key to maturity is to measure all vendors in the same class in the same way. It may, of course, be necessary to sub-class vendors to ensure you compare apples to apples.
READ: Understand the Changes to NIST's Supply Chain Security Guidance
Another common optimization is to attempt to cover all vendors in the vendor management program. This approach is difficult, because more vendors are being onboarded as you go through this process and, often, at a faster rate than you are able to profile
and assess the existing vendors. You can address this issue by developing a rapid profiling model where you identify classes of vendors and simply drop the vendors into “buckets” based on their attributes. You then assign a generalized
risk level to each bucket and have a very rough way to identify vendor risk across your overall vendor population.
This approach is flawed in that most vendors fit in multiple buckets. You can finetune the process by using a categorization approach as discussed earlier, i.e., assign a generalized risk score to each category, using averaging or high-watermark scoring
to get a sense of the overall risk.
Of course, profiling alone doesn’t improve your risk exposure, so any such program would need to be balanced by an internal resilience program as well.
Maturity benchmarks: As you mature a profiling system, you will find the profiling buckets or categories get better defined and more granular over time. Care would need to be taken, however, to avoid creating an array of categories, each of which only
holds a single vendor, because that would work against the throughput goal of getting full vendor coverage.
The most common failure modes when redeveloping a vendor management program include:
When redeveloping a vendor management program, it’s important to:
All vendor programs can be improved. All vendor programs can be reinvented. The hardest part is taking that first step, so decide what most important thing is and toss everything else to the side. Build a program that does that one aspect as well as you
possibly can. Then, and only then, see if there’s room to add anything else.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
December 7, 2023
By IANS Research
Learn how to create an actionable CISO dashboard with meaningful security metrics using the three C’s principle that supports informed decision-making.
December 5, 2023
By Bryson Bort
As the year draws to a close, IANS Faculty provide their 2024 Cyber Predictions. Watch our video with Bryson Bort for tips on planning your 2024 IT/OT security strategy.
November 30, 2023
CISOs, find guidance on what to focus on within the first 30 days, 6 months and first year of your tenure to ensure a fast, successful start.