Getting to Know the Vendor Security Ecosystem

August 31, 2021

Whether you’re a buyer or seller the number one goal of any vendor assessment program is to help prevent data breaches before they happen. But because every business is different and has different security requirements, there’s no consensus on how to achieve that goal. Fortunately, the ecosystem we all operate in is fairly similar across the board.

To make sure you have a clear understanding of all the key players in the vendor security ecosystem, we’ve outlined each of them and where they fit.


Enterprises (i.e. the buyer)

First up is the enterprise or the buyer. There are a number of teams on the buying side that are impacted by the vendor security assessment process, including InfoSec, procurement, and the business sponsor. 

Many of these teams responsible for identifying potential vendors, assigning inherent risk, assessing the vendor, and offering up a remediation plan are small. So when they were inundated with a massive influx of new vendors in the wake of COVID-19, they had a hard time keeping up. 

The main goal of the enterprise buyer is to provide the business access to the solutions and services they need to succeed, while also keeping risk at manageable levels.


Vendors (i.e. the seller)

Next is the vendor being assessed. This group consists of the InfoSec team responsible for responding to questionnaire requests from the buyer as well as the sales team that is looking to close deals as quickly as possible, but whose deals might be slowed down by an inefficient questionnaire response process. Both sales and InfoSec teams are dealing with a lot of pressure around the vendor security assessment process. 

For the sales teams, their livelihood depends on meeting quota and every deal matters, so if one deal pushes out to the next quarter because it took too long to respond to a questionnaire or if a security review kills a deal altogether, it could be the difference of making quota or being placed on a performance improvement plan. 

InfoSec teams are often subject to the whims of the enterprises that they are selling to, many of which could be using custom questionnaires that can take longer to respond to because they are unknown quantities as opposed to Standard questionnaires. And because these teams are small, it can often be difficult to keep up with all of the questionnaire requests that come across their desks each day.


Vendor assessment providers

Vendor assessment providers help both buyers and sellers streamline and automate many of the processes involved in responding to security questionnaires and assessing vendors. Buyers use these systems to manage the assessment process to ensure the third parties they bring into their environment have the proper security controls in place to protect customer data. While, sellers use these solutions to build and share security profiles that contain completed questionnaires and other relevant information their customers might need.

VSTHSCD_eBook Blog@3x

Read Our New eBook: Vendor Security That Helps Sales Close Deals Faster

In this ebook, we'll help you get your bearings in this increasingly complex ecosystem. And give you tips for navigating vendor assessment requests that don't slow down the sales process.

Download Now


Data Exchanges

Data exchanges, like Whistic, CyberGRX or TruSight offer solutions to enable the re-use of data, questionnaires, vendor responses, documentation, and assessment validation. These exchanges gather information from primary and secondary sources and make it easier for InfoSec teams to make decisions about the potential risks a vendor might pose to their environment.

While there is a lot of good information contained in data exchanges, they may not provide all of the information needed to make an informed decision, so before deciding on how to incorporate data exchanges into your vendor security strategy be sure to do your due diligence. For example, some exchanges are buyer driven and some are driven by sellers, meaning the vendor has more control over what is shared and can provide a more accurate picture of their security posture than if it only contained data aggregated from third party sources.


Industry Associations

Industry associations are content providers like Shared Assessments, Vendor Security Alliance, Cloud Security Alliance, and the Center for Internet Security who develop standardized frameworks that enterprises can utilize to assess their vendors.

While you might find that one standardized questionnaire will be enough to meet your security needs, they typically aren’t one size fits all, so we recommend utilizing a combination of two or more questionnaires to ensure you have enough coverage.


Service providers and consultants

This includes professional service providers like EY, PwC, Deloitte, KPMG as well as  boutique consulting firms that help businesses stand up third-party vendor risk management programs, improve information security systems, or even respond to security questionnaires on your behalf. Consultants can be as involved as you want them to be. For example, if you lack the necessary experience or if your team is understaffed, a consultant can help you put the right frameworks in place and provide support for both responding to questionnaires or assessing vendors.


Security Rating Services

Security rating services like Bitsight, RiskRecon, and SecurityScorecard provide risk and security intelligence to enterprises assessing the security posture of potential vendors. But these services don’t just help you make that initial decision, they help you monitor risk continuously throughout the entire vendor relationship.


How Whistic can help

Whistic is the best way to assess, publish, and share vendor security information. Automate vendor assessments, share security documentation, and create trusted connections—all from the Whistic Vendor Security Network. To learn more about how to build a vendor security process that helps your sales teams close deals faster, check out our latest ebook.

vendor risk management standards vendor assessment cloud security vendor security review vendor security management

About the author


The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.