Skip to content

How to improve the efficiency of your vendor assessment program without increasing costs

Whistic - Risk Recon

Despite how important vendor assessments are in helping to prevent future data breaches, the investment in technology hasn’t always been commensurate. Fortunately, recent research from Whistic and RiskRecon shows that spending on cyber risk and vendor security is increasing, as 60% of survey respondents said they have incorporated more technology into their process. The end result is more mature programs that are ready to attack cyber threats head on.

Up until recently, most vendor assessment programs were managed with spreadsheets and emails. Keeping track of the security posture of all the vendors a company used was a near impossible task using those remedial tools. The end result was slow buying cycles and iffy security.

Luckily, there are a number of tools available (Whistic included) that simplify and streamline the vendor assessment process through automation. Below are some ways to incorporate technology into your program to improve the speed and efficiency of your program.

Vendor intake and automated risk scoring

The first step in the vendor assessment process can be one of the hardest if not done right. When adding a new vendor, it’s critical that you gather all of the information up front. Doing so will help the InfoSec team determine the inherent risk associated with vendors before initiating a formal security review.

One of the best ways to accelerate the vendor intake process is putting the onus on the requestor to gather all the information needed via a vendor intake form. This eliminates the need for the InfoSec team to go on a wild goose chase tracking down what is needed to initiate the process. A good vendor intake tool will automatically notify the InfoSec team once the form is submitted and assign an initial risk score based on the answers provided. The risk score will evaluate a number of different criteria, including software patching, application security, web encryption and determine system risk value based on system sensitivity and data at risk.

Security ratings tools are a great way to quickly measure and assess how good or how poor the cyber hygiene of a given organization is. In fact, many cyber risk scoring tools can legally scan an organization’s cyber posture without any additional permissions or input from an organization—often rendering easy to understand A – F or 1 to 10 scoring metrics in a matter of minutes (RiskRecon included).


Read The Modernization of Cybersecurity

In this joint research report, discover the key trends in cyber risk management and vendor assessments—using responses from 500 cybersecurity and third-party risk practitioners.

Read Now

Automated follow-up

Once the security review is initiated, you need to ensure that vendors are responding in a timely manner. With everything an InfoSec practitioner already has on their plate, it can be difficult to stay on top of the status of each vendor assessment in the queue, especially when you consider they are assessing more than 14 vendors per month on average. However, when a company implements a vendor assessment tool to manage the process, the status of each assessment is easily monitored and when vendors have stalled on completing a questionnaire, the tool will automatically send out a reminder to nudge them to the finish line.

Conducting zero-touch assessments

Another way to accelerate the vendor assessment process is by accessing previously completed questionnaires that have either been published to a vendor’s website or a directory like the CSA STAR Registry or the Whistic Trust Catalog. When done right, an on-demand security profile provides you with everything you need to conduct an assessment, including completed standard questionnaires and frameworks and other relevant security documentation without having to engage in a lengthy back and forth with the vendor just to collect the information.

Automated reassessment

Finally, to ensure you have up-to-date information about a vendor’s security posture, it’s important to conduct reassessments on a regular basis. Depending on the riskiness of the vendor this could be as often as every six months or as infrequent as every other year. To ensure you never miss a reassessment, it’s important that whatever tool you implement allows you to set the time frame for reassessment and have the requests sent out automatically.

Learn more

To learn more about trends that are impacting cyber risk and vendor security management download our report, The Modernization of Cybersecurity, or if you want to learn how Whistic can streamline your vendor assessment process, request a demo today.

Vendor Assessments