3 Types of Vendor Security Risk Reports Every CISO Should Have Access To

September 12, 2017

As a CISO, it’s your responsibility to always have a grasp of risks that your business and your stakeholders are exposed to. In today’s day and age, however, companies add new vendors at such speed that manual reports are often outdated before they’re even finalized.

When it comes to conducting vendor assessments, the result can often be an extensive list of various risks, ranging from inherent risk to transmitted data red flags to integration cautions. For CISOs and their teams, it can be incredibly difficult to quantify or even categorize risk when there are so many considerations. With a manual reporting method, teams are often left sorting through endless files and trying to make sense of risk potential for each vendor. Fortunately, with Whistic’s robust custom reporting engine, pulling reports and filtering by risk types is easier than ever and allows business stakeholders to make more informed decisions regarding each vendor.

In this article, we’ve compiled 3 types of vendor security risk reports that you and your team need to have access to on a regular basis:

Vendor Security Risk Report #1: Vendors by Risk Level

When it comes to third party security, there are various aspects to consider, such as data that vendors have access to and how information is stored and transmitted. Keep in mind that different types of data present different levels of risk. One particular software may only have access to marketing data while another may store or process actual user data. Being able to view and rank vendors by risk level is one of the core reports required for even the most basic vendor security programs.

This is why it’s critical to have access to reports by vendor inherent risk, which is typically in the form of an assigned level of risk, such as high, medium, low. This allows your team to quickly see how much your attention should be directed to vendors based on the level or type of information they have access to, among other factors (like integrations, for example). When evaluating vendors by risk level, Whistic’s proprietary CrowdConfidence score, which is an algorithm that works behind the scenes to interpret and evaluate third party risks, is also an important metric to monitor. The score helps Whistic’s users quickly understand the specific areas in which a vendor requires additional attention and helps them gain visibility by benchmarking vendor risk.

Finally, certain vendors can be seen as more “critical” (i.e. what impact on the business would it have if this vendor went offline for 24 hrs.?) than others when it comes to continuing business. For example, what would happen if your CRM was unavailable for an extended period of time? How would that compare to an outage of, say, your content delivery network that supports your customer-facing web application? Layering on “Criticality” in your vendor security risk reports can help your team stay on top of potential business risks by delivering insights into areas where something go wrong.

Vendor Security Risk Report #2: Vendor Assessment Analytics

It’s all too easy for important facts to get lost in the shuffle during the assessment process. If your team is having to manually follow-up with vendors, track down questionnaires that have been sent but have not been completed, and are constantly behind on vetting new or potential vendors, then having insights into vendor assessment analytics is key. In fact, it’s a good practice to pull reports on a regular basis that offer insight into facts such as:

  • Vendor assessment turnaround time
  • Questionnaires sent, received, completed, and in progress
  • Number of assessments completed in a specific timeframe
  • Number of upcoming assessments

While these reports may not seem as glamorous as others, they are mission critical to ensuring that your process is running smoothly and that your team is covering all of the bases as it relates to vendors.

Vendor Security Risk Report #3: Data and Internal Systems Access Reports

In today’s cybercriminal day and age, data — while undoubtedly an invaluable asset — is also notorious for causing massive problems. Whether stored or transmitted, data can pose different levels of risk to an organization depending on which vendors have access to data sets. For instance, compromised personally identifiable information (PII) such as a social security number or even an email address can expose private or sensitive information often resulting in a legal nightmare. On the other hand, credit card data could expose financial information, leaving stakeholders (and consumers) exposed to significant financial consequences.

With Whistic’s vendor assessment platform, you can:

  • Build and track your data classification matrix
  • Require this information to be completed on every vendor request
  • Build custom reports that show all vendors that have access to or transmit certain types of data.

You can also do the same thing with the internal systems that your vendors may have access to or integrate with. Imagine being able to run a report displaying all of your vendors that integrate with system X and have access to Y data. With this level of information, your team can stay on top of potential breaches and monitor vendor activity to ensure third parties are always operating within your organization’s regulations.

Bonus Vendor Security Risk Report: Hybrid / Cross-Filter Report

While being able to pull individual reports like the ones we’ve laid out above is critical, there are situations that make using individual reports difficult. Let’s say, for example, you need to see all high risk vendors that have not been assessed in the last 9 months that also integrate with your CRM and also transmit or store PII. Traditionally, that would require 3 different reports and days of spreadsheet analysis, potentially leaving room for missed risks.

With Whistic’s intuitive reporting engine, you can combine several filters at once so the result is a robust report that includes all necessary information at a given time.

Ready to Learn More?

Check out our resources below for more third party vendor best practices and insights on how your organization can effectively approach security assessments.


Why Third Party Security is Critically Important

Request a Live Demo with a Whistic Product Specialist

information security vendor risk management third party risk ciso vendor assessment

About the author


The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.