Vendor Risk Management (VRM), sometimes known as Third Party Risk Management or TPRM, is becoming more and more important in our new normal of security assessment, with increasing interconnected businesses around the globe and extended supply chains. But with outsourcing comes the challenge of increased risk potential and the lack of scalable methods to assess and mitigate third party risks coming from those relationships.
For years this vulnerability assessment has entailed repetitive and redundant communication and document sharing. As a result, risk was increased and business’s resources were poorly spent.
Luckily, there’s a better way of doing things as companies increase their security assessments. The secret to gaining efficiency and insight into your VRM process is a unique way of automating the main complicated steps. This process is the Network Approach, and only a few companies are taking advantage of it. Read on to learn how to harness its power.
Why the old approach to vendor risk management was not working
VRM helps organizations ensure that their third party vendors do not create an unacceptable potential for cyber risk or business disruption. It is (or should be) a key component of a holistic approach to cybersecurity and risk management within organizations. However, the management part of it can seem intimidating for companies that lack the resources (time, budget, technology) and rely on manual processes.
The traditional approach to third party risk management usually consists of organizations mapping out their questions and requirements in a spreadsheet that is sent to every new third party vendor, in order to assess their security posture. These requirements vary according to the type of relationship and the level of access to sensitive information that the vendor will have.
There are several problems with this approach:
- It’s hard to customize requirements in an organized manner, as that would mean different spreadsheets and/or multiple tabs
- Third party vendors need to answer the same questions and share the same documents every time a customer wants to assess them, and are constantly chased via email
- The email & spreadsheet method is not scalable to take on new reviews as more vendors enter the supply chain, which usually leads to thinking hiring more people is the only answer
Introducing the Network Approach by ThirdPartyTrust
The approach that we took with ThirdPartyTrust is that of a truly connected network, almost like LinkedIn, but for enterprises and their vendors. The idea being vendors have security profiles inside ThirdPartyTrust that they can share, and other companies may use what’s available in these profiles to satisfy their due diligence needs and understand their security posture.
In parallel, enterprises on the requestor side get to automate and streamline this intake of information, customize their requirements (what they ask/need from each type of vendor), and get the ultimate quantified view of risk across their supply chain. Upon joining the ThirdPartyTrust network, a portion of their vendor population is most likely to be already assessed on the platform. This data is readily available and allows teams to answer most of the questions instead of starting from scratch.
This holistic view of TPRM that we call the network approach goes beyond gathering data for the sense of gathering data because:
- It’s a collaborative network of enterprises and third party vendors exchanging security information in the fastest and most efficient way
- It’s about using that data for making decisions towards risk reduction
- It’s about using the findings to push the vendor to change for the better and improve their security posture
- It’s a shared effort towards transparency that is proved to actually reduce risk
If this sounds familiar, download our free strategy guide to learn how the Network Approach can help your organization solve 3 common challenges of third party risk management.
Rethinking security risk assessments and vendor due diligence
ThirdPartyTrust was founded to fix the ‘rinse and repeat’ problem with vendor risk management – simplifying information sharing for enterprises and their third party vendors. We see more and more how companies struggle with the growing demand to onboard new vendors or respond to more security reviews with a lack of resources, while regulation adds pressure to the equation.
As a vendor, years ago, our Founder and CEO Anders Norremo was receiving multiple spreadsheets with the same types of questions every week (read his full backstory here). Meanwhile, his customers were struggling to get those filled out. There was a lot of manual and repetitive efforts that made the process inefficient for both sides.
The goal of ThirdPartyTrust was not just to help the enterprise do it more efficiently, but also to add value to the process. We asked ourselves, can we speed things up for organizations while we solve the vendor use case?
As it turns out, there are more pieces to the puzzle than asking these due diligence questions upfront. Proper Vendor Risk Management – or, in a broader sense, Third Party Risk Management (TPRM) – is not a point in time questionnaire. When creating this single pane of glass around TPRM, we not only automated and simplified the evaluation workflow. We also integrated additional tools, such as external ratings, to complement the enterprise assessment and vendor response processes.
We have the big cyber rating providers all integrated in one place, like BitSight and RiskRecon for security, Osano for privacy, Supply Wisdom for geopolitical risk, HackNotice for data breach information, ArgosRisk for financial viability, SpyCloud for credential exposure, and more.
These partnerships, combined with our end-to-end workflow automation tools and centralized dashboard, allow organizations across different industries to go deeper in their initial vendor assessments and subsequent continuous monitoring.
Conversely, for third party vendors, our platform is a one-stop shop to build and share a centralized security profile. Instead of starting from scratch on every customer security request, they can just invite their customer to this centralized profile comprising all questionnaires, certifications and attestations, such as SIG Core and Lite, CAIQ, ISO, pentests, etc. By leveraging previous work completing an assessment for one customer, vendors get some mileage for their next assessment.
Our focus is to change the way things were done in the past and go really deep in the areas that matter. That requires organizations on both ends to be much more agile with the assessment request and response process.
