How Many Vendors Do You Really Have?

August 21, 2018

Attention InfoSec and IT teams: take a minute and think through the vendors that your company utilizes. You’re probably rattling off the obvious vendors that are mission-critical, or that you rely upon to deliver your product(s) to your customers. How about your cloud-based vendors like your payroll system, your marketing automation tool, your sales email cadence system, your recruitment system, your customer success platform, and so on? Or perhaps you might find yourself digging a layer deeper and thinking through other on-premise or non cloud-based vendors such as your accounting firm or your consultants that have access to facilities, systems, and data.

After you’ve thought about it for a few minutes, what number would you assign if you had to guess how many vendors your company relies on? 50? 100? 500? Remember that number.

If you’re like most InfoSec or IT executives, your number is probably way off-target. And that’s largely in part due to the proliferation of cloud-based technology that allows anyone in your organization to purchase a license, create an account, or even get a small team on an app without letting your in-house technology team know. In fact, many employees or groups within your company may not see anything wrong with charging their company card (or even personal card, for that matter) with a $10/month user license for a cool new social media tool or a plug-in that allows them to do their jobs more efficiently or more effectively. What’s the harm?

Current State of Shadow IT

The harm is greater than you, or your team might think. According to Cisco, companies are using more than 15 times more cloud services to store critical company data than CIOs were aware of or had authorized! That’s a huge margin of error. To paint the illustration, let’s say you thought your company utilized 50 vendors. According to Cisco, it’s more likely that number is closer to 750!

The article goes on to state that one year prior to publication, the multiple was 7 times, six months prior to publication it was 10 times, at the point of publication it was 15 times, and given the exponential growth of cloud they predicted that by the end of this calendar year it will be 20 times or more than 1,000 external cloud services per company.

How Do More Vendors Impact Your Business?

Of course, as any CIO, InfoSec, or IT executive knows, the more vendors a company utilizes, the more potential for risk. And when it comes to data, that risk can pose massive threats.

Because of the severity of cybersecurity threats, one of the most important things that organizations can do to prepare for and minimize risk is to first have a thorough understanding of what sensitive information or applications vendors have access to. Without this understanding, your team will not know which relationships pose the greatest risk to your organization and your case for broader awareness of these risks may not carry as much weight as it should. And, if you’re not aware that your company is even using a certain vendor, then you could be at risk without even knowing it!

The More Vendors You Have, the Bigger Your Need For a Vendor Assessment Process

The bottom line is this: the more vendors you have, the bigger your risk, and therefore the greater your need for a streamlined and automated vendor assessment process.

If your team is already in the practice of sending out a questionnaire or survey to each vendor to assess the threat level they present to your organization, then congratulations! You already have the right mindset of being proactive when it comes to vendor security. Now, you simply need to take inventory and compile a complete list of all vendors — including those that may fall under the ubiquitous category of “Shadow IT” (if you need some help, we wrote a blog post specific to creating this list) — and make sure each one of them has been assessed or will be assessed soon.

However, if your company hasn’t yet designed a vendor assessment process in order to evaluate the security and processes for each of your vendors, then that’s the next critical step in order to help prevent cybersecurity attacks and security threats. A vendor assessment platform like Whistic can help your team stay focused on the high level initiatives while the important day-to-day tasks of vendor assessments are completely automated, tracked, and stored. Whistic exists to replace manual, error-prone vendor assessment processes. Your team is buried in the day to day work of conducting and responding to third party risk assessments when they could (and should) be focusing on the bigger picture: protecting your organization and keeping customer and employee data safe and secure.

And when it comes to adopting new vendors in the future? Make sure you implement some ground rules so that you’re always in the know when it comes to third party relationships.

Ready to Learn More?

Check out our resources below for more third party vendor best practices and insights on how your organization can effectively approach security assessments.


Why Third Party Security is Critically Important

Request a Live Demo with a Whistic Product Specialist

information security cybersecurity vendor risk management security questionnaires third party risk

About the author


The latest insights and updates on information security and third party risk management.