When it comes to survey findings, it’s best to start with a statistic:
Of all the respondents to Whistic’s 2023 State of Vendor Security Report who experienced a data breach in the last year, 77% attribute the breach to a compromised vendor.This is a dramatic figure for two critical reasons. First, it vividly underscores the importance of third-party risk management. Second, it proves that vendor security is a shared risk; it’s an ecosystem problem that requires an ecosystem to solve.
The necessity of strong partnerships between vendors and customers is the biggest reason that Whistic conducts our annual survey of cyber and InfoSec professionals — to share challenges, benchmark against peers, and identify opportunities related to vendor security.
The 2023 report includes insights from:
- 524 cybersecurity and InfoSec respondents at the manager, director, or C level; 22% come from the C‑suite
- 21 unique industries
- Companies ranging in size from 500 to 5000 employees
The majority of respondents (60%) also have direct responsibility for vendor assessments. Their responses cover a wide range of issues for vendor-risk leaders, but some consistent themes did emerge. Let’s take a closer look at three key takeaways.
1. There is room for greater efficiency in the vendor assessment process
More than 50% of the companies surveyed report spending at least 20 hours a week on vendor assessments; a third of all companies spend more than 30 hours every week. The bulk of this time is dedicated to tracking down vendor information to prepare for assessment.
These findings suggest there is an enormous appetite for on-demand security documentation that can be shared proactively. By leveraging standardized questionnaires in an easily shareable form, organizations don’t have to reinvent the wheel for every assessment — buyers can quickly access the information they need to evaluate security posture, while vendors can accelerate the sales cycle.
And the opportunity for time savings is substantial. Of all respondents, 66% report they could save at least 11 hours every month if pre-completed, standardized questionnaires were made publicly available, while 22% say they could save 2 – 3 business days if assessments could be done proactively.
2. Vendor risk management can deliver more bang for the buck
In their most recent security survey, S&P Global Market Intelligence found that 93% of organizations will increase their spending on cybersecurity by 29% this year. That’s 3% more than last year’s budget increase.
No one questions the importance of cybersecurity, but CISOs understand that spending cannot go up forever. Already, we’ve seen budgets begin to tighten for other necessary “cost centers” in the business, like Legal. Whistic’s report finds that vendor assessment may be an area to target when it comes to cost savings, without sacrificing good security hygiene.
Our findings show that the average company dedicates four to six individuals to vendor assessments alone, while 75% of organizations involve multiple teams in the process. This resource allocation is necessary because of the sheer volume of assessments most vendors and buyers are asked to complete. Previous Whistic studies suggest that companies spend as much $3500 more per month on assessments than they would if such information was shared proactively. That’s headcount and budget that could go to strengthening other aspects of your security program.
And dedicated teams are only one related expense. Outsourcing takes a huge bite out of the budget, with 63% of companies outsourcing some or all of their assessments. By reducing the time and resources devoted to questionnaires, companies can more effectively allocate their talent and budget to other areas of risk.
3. Transparency is a differentiator
Ultimately, strong vendor assessment is about building and validating trust. We all rely on our vendors, and many of us are vendors, ourselves. By proactively sharing information about their security posture with the marketplace, organizations not only cut time and reduce costs, but also increase transparency.
Businesses that share their security documentation proactively send a clear message about their commitment to being a trusted partner. They signal they have nothing to hide and they take the security of their partners seriously. They also know the value of efficiency and speed in the evaluation and sales cycles.
Our 2023 report shows that over and over, businesses are willing to do whatever it takes to get to trust in their vendor security. Moving forward, winning organizations will get there faster and with greater transparency than their competitors.
Save time, reduce risk, and build trust faster in the vendor assessment process with Whistic
At Whistic, we’ve built a network of vendors 35,000 strong — and growing. The Whistic Network allows buyers and sellers to assess, publish, and share their security posture proactively. With Whistic, you can:
- Automate processes, cut response times, and stay connected to vendors
- Fill out your security assessment questionnaire once, not over and over
- Instantly view security documentation for thousand of vendors through the Whistic Trust Catalog