In our third-annual “State of Vendor Security” survey of more than 500 InfoSec professionals, 77% of respondents that experienced a data breach reported that the breach was caused by a compromised vendor.
We don’t really want to contribute more to the parade of terrifying statistics out there, but we’re sharing this tidbit because it illustrates an important point: you can’t fight back against cyber threats unless you’ve prepared a top-notch third-party risk management (TPRM) plan.
In a previous post, we shared our step-by-step approach to building an excellent TPRM program. Today, we’re going to take a closer look at the first two steps of creating vendor profiles and vendor inventory. We’ll dive deep into what they are, why they’re so important, the challenges to getting them right, and how to overcome them.
What are vendor profiles and third-party inventories?
Quite simply, a vendor profile is a detailed, consolidated list of everything you might ever want or need to know about your vendors. Your vendor inventory is a complete list of every third-party your organization is working with.
While they are each distinct elements of a thorough TPRM plan, profiles and inventory are very closely related, and your inventory system can be the same system for capturing profile information (and should be—but more on that in a minute).
So, what makes for an excellent vendor profile? We recommend five “must-have” pieces of information:
- Vendor contact lists — who should you speak with if there’s ever an issue?
- Exactly which products and services are associated with each vendor
- Internal systems these products have access to
- Data volume — how much data are you sharing with this vendor?
- Data classification — what kinds of data are you sharing with this vendor?
These five elements are critical because they help your organization understand the appropriate level of risk to assign to each third party. This, in turn, helps you properly allocate the right resources to managing that risk. In addition to these essential data points, your vendor profiles may include:
- Any regulatory requirements impacted by the vendor and any tools or services they offer to support compliance
- Contract details, including contract length, dollars spent, or renewal terms
- Any other unique details that apply to your specific vendor relationships
Why are vendor profiles and inventory so important?
The short answer is that they provide the core building blocks for the rest of your TPRM program, allowing it to function at the highest possible level. And a great TPRM plan allows the business to make strategic investments by identifying and mitigating potential risk.
But let’s get more specific about the role of vendor profiles and inventory. Here’s where they fit in:
- Your business commits to avoiding unnecessary risks
- To avoid them, you need to conduct thorough assessments of all your vendors and classify their risk levels
- To ensure that such an assessment is possible, you need a comprehensive list of your vendors (an inventory), and you need information to help you accurately categorize them (the info in their profile)
In other words, vendor profiles and inventories provide the rubric for classifying risk consistently and repeatedly, so you can better understand both intrinsic and relative risk across your third-party ecosystem — and make business investments with greater trust and confidence. Companies that get it right can also increase transparency and scale their programs more easily.
Things to avoid when building vendor profiles and inventory
In spite of their importance, many companies struggle when it comes to creating comprehensive vendor/third-party profiles and inventories. There are lots of reasons this may be the case, but here are some of the most common:
Lack of visibility—Very often, organizations simply don’t have a complete, accurate vendor list. This can be a result of siloed business units that don’t communicate clearly or share a single system of record. Shadow IT also remains a problem, and in fact is made worse by the proliferation of cloud-based, out-of-the-box SaaS solutions that make it easy to add software without IT’s support.
What happens when IT or InfoSec has poor visibility? You take on greater risk. Even if the organization has a sound vendor assessment solution in place, if these teams are the last to know about a new vendor or technology, then it’s too late to mitigate risk.
Slow, manual processes—Spreadsheets end up as the default “system” for managing vendor information. That means lots of manual entry, manual reporting, and long chains of communication before any centralization or utilization can take place. This slows down vendor intake and increases the likelihood of human error.
Diffuse, redundant vendor onboarding—Different business units may own one portion of the vendor onboarding process, and each of these business units is likely to only collect information that is relevant to them. For example, Procurement may be interested in contract info; IT may only be concerned with risk and compliance; and Finance may only be concerned with payment terms. When this happens, a vendor must go through an arduous, time-consuming onboarding, and the collected data may STILL end up in pieces, scattered across disparate systems.
Overcoming vendor management roadblocks
Here are a few simple steps your organization can take to avoid the pitfalls of vendor inventory management:
Create a single system of record—All vendor profiles and inventory information should be collected in a single place with controlled access, so InfoSec can maintain greater visibility, reduce the number of “owners” in the vendor onboarding process, and make it simple to organize vendors by risk type.
Consider a dedicated third-party risk management solution as your single source of truth for vendor profiles. Not only will proper documentation be consolidated in a single location, but many TPRM platforms also allow you to automate tasks, so you save huge amounts of time.
Leverage existing processes—There will likely be an element of change management necessary to address your TPRM pain points. To make this transition easier, look for opportunities to tweak existing processes rather than create new ones right away. For example, if Procurement is the first step in vendor onboarding, ask them to capture all the data you need to assess risk, rather than only the data they need.
Create a single vendor intake process—Remember those five “must-haves” for every vendor profile that we mentioned above? Make those the consistent requirements for vendor intake: if anyone in your organization wants to add a third-party solution to your environment, require that they consistently collect the same kinds of information every time.
Easier said than done, right? Well, if your single system of record is a holistic TPRM solution, you can create controls for vendor onboarding to increase consistency. The right platform will also leverage APIs and integration with the tools you use most — like Slack or Salesforce—so business units can collect data in their systems of choice and send it automatically to your single source of truth.
Bonus Benefit! A single vendor intake process also helps drive the ownership of vendor management toward the business units that actually use the software and maintain the third-party relationships. What this essentially means is that the business is taking ownership of risk, making them more likely to adhere to policies and practice good security hygiene.
This is huge for InfoSec teams, because it greatly increases the odds that they will be able to conduct a thorough vendor security assessment before the tool is in your environment. Taking the value chain even further, this in turn ensures that InfoSec can properly gauge risk and dedicate the right resources to mitigation — rather than facing a risk when it’s too late.
Whistic’s complete TPRM solution tackles the biggest vendor inventory challenges
The Whistic Platform makes it simple to create a centralized system of record for your vendor profiles and inventory. That’s because our flexible solution allows you to create one streamlined intake process, so you can:
- Increase visibility into your vendor landscape to identify and reduce risk
- Eliminate redundancies that come from siloed vendor management
- Automate the vendor management process and say goodbye to spreadsheets
- Help business units share ownership over vendor management so InfoSec can focus on risk
- Create seamless vendor intake with APIs and integrations with tools you already use—like Salesforce and Slack
Whistic also supports the business processes and best practices that go hand-in-hand with software solutions, so you can build the right foundations for a sustainable TPRM program and get to real value faster.
If this holistic approach sounds like a good fit for your organization, we’d love to show you how it works. Contact our team and schedule your hassle-free demo today!