How advancements in technology are impacting vendor assessment and risk management

July 12, 2022

For much of its history, vendor assessments and the associated cyber risk they discovered were tracked and managed using spreadsheets. Before the explosion of cloud computing and SaaS solutions when most applications were managed on-premise, this was sufficient.

However, in recent years as a larger percentage of applications used to run businesses were hosted by third-parties this old-timey solution needed an upgrade. Despite this, change was slow all the way up until it wasn’t. That’s because along with the rise of cloud based applications came a significant increase in security incidents caused by third-party security incidents. In the 2022 State of Vendor Security, Whistic found that nearly half of businesses have experienced a data breach in the last three years. Of those that experienced a data breach, 80% said the breach was caused by a third-party vendor.

It is in this background that Whistic teamed with RiskRecon to survey infosec and cybersecurity professionals about the incorporation of technology into their environment. We surveyed more than 500 practitioners working in the industry with respondents ranging the spectrum from managers (30%), directors (28%), and executives (42%) working primarily in small, medium, and enterprise businesses with a small sampling of startups. Below are some highlights from our research.


Companies placing more emphasis on cybersecurity technology 

As noted above, cyber threats aren’t going away anytime soon, so in an effort to combat this ever-present threat, companies are investing more technological resources to fight this problem. Our research found that 60% of respondents have incorporated more technology to manage their cybersecurity processes in the past five years and 80% have a cyber risk monitoring program in place.

In addition, the growing threat landscape has accelerated the maturity of cyber risk and vendor security programs as mature programs are no-longer just a nice-to-have but a necessity. To wit, 64% of respondents indicated their program was either advanced or mature. When you dig into the data a little deeper, you will find that size and maturity of the business has a significant impact on the maturity of the cyber risk and vendor security programs. 

For example, 66% of enterprise-level companies cited their programs as advanced, while just 8% indicated their programs were at an early stage. Contrast that with start-ups where just 6% have advanced stage programs, while 64% have early-to-non-existent stage programs.


Read The Modernization of Cybersecurity

In this joint research report, discover the key trends in cyber risk management and vendor assessments—using responses from 500 cybersecurity and third-party risk practitioners.

Read Now


Concerns over cybersecurity reaches the highest levels of the organization

When third-party security incidents occur, the impacts cascade across the entire organization from the cybersecurity team tasked with remediating it, to the marketing and PR teams that have to deal with the damage done to the brand, to customer success teams responsible for easing concerns over compromised data, to operations who need to allocate budget and resources to combat the issue. 

Because of these far reaching effects, the status of cyber risk and vendor security programs is on the radar of the executive level of most organizations. Our research shows that 71% of respondents report program metris to internal leadership outside of the security business functions. An interesting tidbit gleaned from our survey is priorities differ between executive leaders and security practitioners.


Executive ranking of program success metrics

  1. Accuracy of findings
  2. Program cost
  3. Remediation of issues


Security practitioners ranking of program success metrics

  1. Accuracy of findings
  2. Security and legal compliance
  3. Vendor assessment completions


Both put accuracy of findings at the top of their rankings, beyond that executives are focused on the bottom line, ensuring program cost doesn’t get out of hand and incidents are remediated in a timely manner. On the other side, the practitioners in the weeds are focused on throughput of assessments and ensuring the business is secure and is complying with applicable laws and regulations.


Trust but verify is still a staple 

Because accuracy of findings is so important it should be no surprise that third party validation of questionnaire responses is a common practice with 61% of respondents using a third party validation tool to ensure accuracy. Additionally, 43% of respondents have started using risk scoring to evaluate vendors within the last five years. This is despite the fact that 53% of respondents trust the information they receive in questionnaires from their vendors.


Learn more

To access the entire joint research report with RiskRecon, The Modernization of Cybersecurity: How technology is changing the way businesses view vendor assessment and cybersecurity, click here, or if you want to learn how implementing Whistic with RiskRecon can improve your vendor security and cyber risk programs request a demo today!

vendor risk management vendor assessment cloud security vendor security review vendor security management

About the author


The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.