How SIG and Other Standards Improve Third-Party Risk Outcomes
With more vendors to assess than ever before (in 2024, the number of vendors you work with can range well into the hundreds), effective third-party risk management (TPRM) can require a huge commitment of time and resources. If you or your TPRM team is also responsible for a host of other risk-management or security responsibilities, the assessment burden can quickly get out of control.
There are a number of steps you can take to ease the burden of vendor security assessments, but today, we are going to focus on the use of standardized frameworks to accelerate the process. To guide us, we’ll be using the example of the Standardized Information Gathering (SIG) questionnaire. Using SIG as a reference point, we’ll tackle what exactly standards are, why they are so useful, and how to get the most out of them.
What are standardized frameworks like the SIG questionnaire?
Simply put, standard frameworks are tools that allow you to more easily apply a consistent rubric to the assessment of third-party risk. These frameworks typically come in the form of a questionnaire your vendors fill out to share their security posture.
The SIG questionnaire was developed by Shared Assessments, a collaborative initiative that improves TPRM by providing risk leaders with educational opportunities, resources, and a forum to connect with peers.
SIG is a representative example of the value that can be found in standard frameworks. While your business will likely have a handful of very specific risk factors that fall outside other industries, SIG and frameworks like it provide guidance on a wide range of risk types—making it flexible and broadly applicable. SIG includes covers 19 risk domains covering:
- Cybersecurity
- Data privacy
- Regulatory compliance
- Operational resilience
- Business continuity
- Disaster recovery planning
- Overall third-party management
SIG also provides organizations with the flexibility to scale up or down depending on the risk levels of the vendors they are working with by offering two varieties:
- SIG Lite
SIG Lite is a simplified version designed for vendors with a lower risk profile. It covers the most critical risk domains but with fewer questions. This version is ideal for organizations looking to quickly assess vendors that don’t have access to sensitive data or aren’t integral to critical business operations.
- SIG Core
The SIG Core is the full version of the questionnaire, containing a more extensive set of questions across all risk domains. This version is recommended for high-risk vendors, such as those that handle sensitive data or manage mission-critical systems. The SIG Core provides a deeper assessment of a vendor’s risk, offering more granular insights into their security practices and vulnerabilities.
Now that we have a clearer picture of what SIG and other standards are, let’s dig deeper into how your organization can use them to streamline the TPRM process.
Why are standards like SIG helpful in TPRM and vendor security assessments?
Third-party risk management is an ever-evolving discipline. Whenever new technologies, competitors, market segments, and products introduce change for your organization or industry, your risk profile changes, too. This can happen for a number of reasons, including:
- The need for different vendor types to meet a strategic shift
- Customer demographics shift, leading to changes in data sources and types
- Mergers, acquisitions, or divestitures create upheaval in your IT infrastructure
- Changes to regulatory compliance requirements
These kinds of changes affect your risk tolerance and exposure, making it even more critical that your TPRM program is robust enough to keep pace (and keep your business secure).
Standards like SIG make it possible to adapt to changes to your risk profile in four important ways:
1. Consistency
As businesses increase their reliance on vendors, third-party risk management has grown more complex. Yet many companies still use different questionnaires and methods to collect security information from their vendors. This adds to the complexity, but it leads to fragmented risk data that exists in different forms and across different systems—making it nearly impossible to compare and properly rank risks.
Standards like SIG make it possible to measure risk consistently across your vendor landscape; it allows you to truly know the difference between a high-risk vendor and a low- or medium-risk vendor. This means you can more accurately and effectively allocate the right resources to monitoring and risk mitigation.
2. Comprehensive coverage
Selecting the right standard for your business or industry makes it possible to cover a wide range of risks, so you can have greater confidence that no critical risk factors are overlooked as part of the vendor assessment process. Wide-ranging standards like SIG also reduce the need for customization, which leads to…
3. Time savings and efficiency
You may have legitimate business reasons to customize your vendor security assessments (we’ll discuss this more in a minute). But customization increases the likelihood of lengthy back-and-forth with your vendors—and we see that increasingly, vendors are beginning to ignore custom questionnaires entirely. Even if standards like SIG are only one part of your assessment process, they will reduce the amount of custom questions you need to include and streamline things for you and your vendors.
Standards also improve the quality of your reporting and TPRM metrics because they give you a common baseline across all vendors and vendor types. This makes it easier to judge the improvement and the maturity of your TPRM program.
4. Increased vendor engagement
Standards don’t just increase the efficiency of your own team. Standards make it simpler for vendors to respond to your assessment requests because they’ve likely responded to similar (or even identical) questionnaires in the past. They may have already gathered the information needed to respond.
But it’s not just about increasing the speed of the process. In a recent survey of 500 security leaders, we found that the vast majority (more than 90%) would assess more of their vendors in greater depth, but they can’t because of resource restraints. That means that instead, they are simply taking on more risk. By improving vendor engagement by making the process simpler, standards like SIG actually improve security and risk outcomes (which is kind of the whole point).
How do I use SIG and other standard questionnaires?
The short answer is that you can utilize standards like SIG whenever you need to assess your vendors, but that’s not super helpful, is it? Okay, okay…our only point was they can be used during any kind of assessment, but let’s go a bit deeper. Standards can be the entirety of or supplement your assessment process whenever you:
Select a vendor
This is the most obvious, but not only can SIG and other standards be a convenient assessment tool, but they can also be a useful selection tool before you’ve even engaged a new vendor. These standards can help frame your security needs clearly, so you can comparison shop based on security requirements. This won’t replace the full security assessment, but it will help eliminate obvious risks in advance to save you time later. Online marketplaces like G2 often provide an overview of security posture or links to company trust centers to make this easier.
Once you’ve selected a few vendors to explore in more detail, we recommend using standards as early in the process as possible. You don’t want to get a deal to the finish line, only to delay things based on an incomplete or high-risk assessment.
Experience a change in security requirements
We touched on this a bit earlier, but there are any number of reasons your security posture or needs may evolve over time: new regulation, the emergence of new kinds of cyber threats, or the introduction of a new customer segment to your business. These same factors can impact your vendors, too. Any time such changes take place, it’s appropriate to reassess your vendors, and standards can help ensure this is a seamless process.
Regularly reassess vendors
Even if your security requirements stay the same, you’ll need to develop a regular reassessment cadence for all of your vendors to verify there have been no changes. This is especially important for higher-risk vendors (the initial assessment can help you identify these easily, and standards can help)—you’ll likely choose to reassess such vendors more often than your lower-risk vendors.
Experience a breach or security incident
In the last year, 88% of companies that experienced a breach traced the source of the incident to a third party. Standard questionnaires can be helpful in your incident response if a vendor failure leads to a breach. SIG can help you identify the controls that were lacking and help you to prevent similar incidents from happening in the future.
How to implement standard questionnaires in your organization
Here are a few steps you and your TPRM can take to get the most out of standard questionnaires like SIG:
1. Customize for your needs
Now, hear us out: we know we talked about how quick and easy standards alone make the assessment process, and how they reduce the need to customize. And we stand by that!
But! Your business may have specific security requirements or regulatory needs that fall outside the purview of a framework like SIG. So, while SIG alone covers a lot of ground to save you and your vendors time and headaches, it’s also useful as a building block for your customization. The idea here is to create a more formalized, repeatable process that meets ALL of your TPRM needs. The adaptability of standards is just another feather in their cap.
2. Train your teams
Make sure your TPRM team is familiar with the framework or standard you choose, including how it is used to rank vendor risks, how to interpret the findings, and how it aligns with your overall risk management or cybersecurity strategy.
Whenever you adopt or introduce a new standard, it’s also an opportunity to re-engage stakeholders in the overall TPRM process. Vendor assessments may include several business functions such as Procurement, IT, InfoSec, and Privacy. As your program scales when your vendor pool grows, you may choose to create a more permanent TPRM Governance team which meets regularly and measures progress.
Lastly, many organizations find it helpful to revisit their vendor onboarding and selection processes whenever they introduce a new standard or questionnaire.
3. Communicate clearly with vendors
Be transparent with your vendors about why you’re using the questionnaire and how it will benefit both parties. Vendors are more likely to cooperate and provide thorough responses when they understand the purpose behind the assessment.
4. Integrate with other risk management tools
Standards like SIG fit within the context of a broader organizational risk-management strategy, and there are many ways to integrate TPRM more seamlessly into other workflows and processes. One way to do this is incorporate a TPRM or governance/risk/compliance (GRC) solution to help automate some of the process—including the sending and receiving of standard questionnaires.
The Whistic Platform gives customers and users free access to a growing library of more than 40 standard frameworks and questionnaires, including the most commonly used like SIG, ISO, CAIQ, and HECVAT. We also update our library with customized assessment tools whenever there is a software- or industry-wide security incident (like the recent CrowdStrike event). This saves our customers time and money while also keeping them more secure.
Whistic combines standards with industry-leading AI capabilities to fully automate the assessment process—regardless of whether you use a standard questionnaire or a customized one. You can learn more about how Whistic automates assessments by taking a closer look at our Assessment Copilot Suite.
If you’d like to take a deeper dive into our full platform, we’d love to connect for a hassle-free demo and show you the ropes. Reach out today to schedule yours!