Efficient Vendor Management Requires Automation
In the modern business environment, companies can no longer take a “don’t know, don’t care” approach to managing their third-party vendors. Apart from regulations and standards requiring companies to manage their vendors, third parties are extensions of an organization and their actions can have a direct impact on brand reputation. Regulations from conflict minerals to HIPAA are increasingly expanding to include an organization’s vendors and business associates. This requires companies to survey, assess, and follow-up with dozens, hundreds or even thousands of third parties, and take action against those not in compliance. It also means a new, collaborative approach to third-party management is needed.
As part of the “21st Century Business Require 21st Centuries Processes” webinar series, Justin Fimlaid from NuHarbor Security and Shawn Hickey from LockPath presented a vendor management session on June 17, addressing the challenges of third-party management and how companies can leverage best practices.
Here are the main takeaways of the webinar:
- If you take security and compliance seriously, you should be taking vendor risk seriously. More and more regulations are emerging that require companies to perform due diligence on potential business partners. Third-party risk management — ensuring vendors have good security and compliance hygiene across their organizations — has become an essential component of a comprehensive security and risk program.
- Vendor assessments are incredibly time-consuming. You absolutely need to automate where you can. Sending out, scoring, analyzing and following up on assessments lead to major overhead for your team. As Fimlaid explained, the ideal process is to send your questionnaire, your partners completes it, then you are automatically alerted if there is a deviation from your tolerance. From there, you can optimize how you follow up, so that you’re mitigating the most risk with the time you have.
- Predefined expectations for vendors simplify the process. Fimlaid suggested you ask the following questions: What are your buckets of vendors (high, medium or low risk)? How many are in each bucket? What level of compliance and security do you expect for each bucket? Many companies have trouble managing vendors because they don’t answer these questions ahead of time. Knowing what you expect from each risk level of vendor is extremely important to decision-making after assessing.
- Top 3 vendor management best practices:
- Try to establish business processes surrounding third-party management early. Consider when you send assessments, how you send them out, when during the evaluation process are they assessed, what is the determination of risk and how risk can be mitigated via contract.
- Know your tolerance on what risk you will accept from vendors. If it’s a high-risk vendor with a score of 5, will your tolerance allow that?
- Automate where possible. Assessing, continuously monitoring and following up on remediation lead to major overhead for your team. Automation creates efficiencies throughout the vendor management lifecycle.
The last two webinars in the series with NuHarbor will focus on incident response and audit preparation. To register, visit the LockPath events page.
Read about third parties being both a necessity and a burden.
Read about some of the highlights from our expert panel discussion.
Read on for our top five strategies for shoring up your company’s third-party cybersecurity defenses.