4 Important Vendor Assessment Best Practices

October 14, 2017

When it comes to evaluating new vendors, it can be challenging to know how best to communicate the requirements of your vendor assessment process and ultimately select the right partner to help your business move forward — while at the same time avoiding the risk of a third-party security incident. After all, 63% of data breaches are linked to third parties in some way. In fact, just today we all learned about how an Equifax vendor was serving up malicious code on their website in a newly discovered security incident.

The Whistic team has done thorough research on what a good vendor assessment process looks like and how to keep your organization safe from third party security threats. In the following article, we’ll outline a few of these best practices that your organization can follow in order to improve your chances of a successful vendor review. Of course, there will still be situations that you must address in which a vendor is either not prepared to respond to your request or isn’t willing to comply with your process. However, we’ll share some tips for how to best respond to these situations, too.

But before we get started, keep these 3 keys in mind:

  1. Time Your Assessments: The timing of the assessment will be the single greatest leverage you have in getting a vendor to respond. Keep in mind that aligning your review with a new purchase or contract renewal is key.
  2. Alert the Vendor ASAP: The sooner a vendor is aware of a review the better. Plan ahead and engage early and get executive buy-in from your team to hold vendors accountable to your policy. If your business units understand that you have a policy requirement to review every new vendor, they can help set expectations during the procurement process and eliminate last-minute reviews.
  3. Don’t Overwhelm Your Vendors: Unnecessary questions or requests for irrelevant documentation can slow the process down significantly. Be sure to revisit your questionnaire periodically and identify new ways to customize questions based on vendor feedback. You may find that after conducting several security reviews that there may be ways to improve the experience for both parties.

1. Personalize the Communication

At Whistic, we’ve had a front row seat to the security review processes of companies all across the world and a wide range of use cases. We’ve seen firsthand how much of a difference personalized communication can make in creating a more seamless process for all involved, especially third party vendors who are or hope to be trusted partners to your business.

With this in mind, we strongly recommend sending a personalized email to each vendor when initiating a new questionnaire request to supplement the email communication that they will receive from any software you utilize. This can help alleviate concerns the vendor may have about the assessment process and should help to improve turnaround times on completed questionnaires. Even with the automated communication support from a third party security platform like Whistic, the best motivator for your vendor to complete your request may be a friendly reminder from you or the buyer that the sales process is on hold until they complete the assessment.

At Whistic, we feel so strongly about this that our platform helps pre-populate email templates for our customers to utilize when engaging with vendor contacts during the assessment process.

2. Deliver Expectations Early

Assuming that your vendor already understands that you are going to need to complete a security review on them, the best time to help them understand your expectations is either right before or right after you initiate a request via your third party security platform.

When doing so, keep the following in mind as you have a phone call or draft an email to your vendor to introduce the vendor assessment request:

Set The Stage:

Let your vendor know about the third party security platform that your organization uses and that it is required method for completing your security review process.

Give Clear Direction:

Specify a clear deadline and any specific instructions for completing the entire security review — not just the questionnaire.

Provide Resources:

Provide information for the best point of contact who can answer questions they may have throughout the process. It’s also a good idea to let them know that your third party security platform may reach out if they aren’t making progress on their vendor assessment. This is a service Whistic offers to its customers to help improve response times.

3. Utilize an Email Template

Whether you use a customized template created by your team or a predefined template (such as the one Whistic provides to its customers), it’s worth spending a few minutes upfront to standardize the communication process. This will save you time in the long-run and allow you to deliver a consistent message to each of your vendors.

While you may want to customize or create your own template that best reflects your brand’s voice, here’s an example email template that’s available within the Whistic platform:

4. Respond to Vendor Concerns

It isn’t uncommon for vendors, particularly account executives, to try and deflect a security review as they know it has the potential to delay the sales/renewal process. They may also have questions about sharing information through a third party security platform as opposed to emailing that information to you. We know from experience how frustrating this can be for all involved, so below are a two tips for handling pushback:

  • Preparation: If you are getting repeated pushback from vendors, review the “Keys to Success” outlined at the beginning of this article and explore additional ways to adopt those best practices.
  • Complexity, Relevance, and Length: These items can be among the reasons why vendors complain about your security review process. Consider periodically revisiting your questionnaire and consider adding additional filter logic to limit the number of questions asked of each vendor or make the question sets more relevant to vendor that is responding.

Ready to Learn More?

Check out our resources below for more third party vendor best practices and insights on how your organization can effectively approach security assessments.

eBooks:

Why Third Party Security is Critically Important

Product Demo:

Request a Live Demo with a Whistic Product Specialist

Risk Management cybersecurity vendor management compliance governance

About the author

Whistic
Whistic

The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.

Close