What 2021 continued to remind us is the threat of a data breach is one of the few constants we have in life. Whether it was dealing with the aftermath of Solarwinds at the beginning of the year or Log4j at the end and many more in between, InfoSec and cybersecurity teams were kept busy cleaning up a data breach or working hard to prevent them.
To help improve our understanding of the challenges faced by these teams and the trends impacting the industry, Whistic once again surveyed individuals working in the field and compiled our findings in the third annual State of Vendor Security Security Report.
Over the course of four blog posts, we’ll dig into some of the findings and offer insights and recommendations on how you can improve your program. The posts will cover:
How to increase efficiencies in the vendor assessment process for both buyers and sellers
Making on-demand vendor assessments a reality
The recipe for a perfect security profile
Why streamlining the vendor assessment process increases revenue
How vendors are impacted by security assessments
Our research found that vendors are responding to 23 assessment requests per month on average, which is an increase of about 10% year over year. With each response taking around 3.5 hours—that’s 80.5 hours per month or the equivalent of one half of a FTE.
But that’s just one aspect of the security review process. When it comes to the sales cycle, it can add another week to the process, but that’s if there aren’t any clarification requests from the customer, which adds another 4.1 days on average.
What these numbers don’t show is the impact responding to vendor assessments can have on the overall productivity of an InfoSec team. Those 3.5 hours responding to each assessment don’t come all at once. They come in fits and starts and can disrupt the overall flow of work for practitioners.
Save time with on-demand assessments
But it doesn’t have to be this way. When you make assessments available on-demand, you make it both easier for your customers to assess you, while saving time that used to be spent responding to one-off assessment requests. And the good thing is that most people—94% to be exact—said they would be willing to begin a vendor assessment with an on-demand questionnaire. And Whistic makes it easy for customers to compile and publish their security documentation to the following places:
The security page of your website. The easiest and most obvious place to publish your security documentation is on the security page of your website. Depending on how much control you want to have over your documentation, there are a number of solutions (including Whistic) that can host your documentation and manage the requests. These solutions give you the opportunity to decide who has access to your information, for how long, while also helping ensure they have the most up-to-date version of your documentation.
Security directories and exchanges. Next, you should identify directories and exchanges that your customers frequent to conduct on-demand assessments of vendor security posture like CSA’s STAR Registry or Whistic’s Trust Catalog and publish your Profile to them. Making your security posture available on-demand speeds up the vendor assessment process, provides a better experience for your customers, and saves the time your InfoSec team used to spend responding to one-off questionnaire requests.
Software review sites. Finally, many software review sites, like G2, are incorporating security documentation to their portals to help users make the most informed decisions about software purchases. One of the biggest reasons is because security is often cited as the most important factor in determining which vendor is chosen.
Read The 2022 State of Vendor Security
In this report, the third in an ongoing series, we’ll highlight the current state of vendor security, identify industry trends, and provide recommendations for how companies can improve their processes for conducting and responding to assessments.
How buyers are impacted by vendor assessments
As far as the buyer goes, they are assessing 172 vendors annually and spending 23 hours per week working on assessments. Our research found that the most time consuming aspects of the assessment process are:
- Determining vendor risk levels and what information to request from the vendor (33%)
- Tracking down vendor contact information and other relevant info from internal stakeholders (26%)
- Reviewing vendor responses, identifying gaps/risks, and writing up a final summary of the assessment (21%)
- Discovering which vendors need to be assessed (15%)
- Communicating the results of the vendor assessment internally to the vendor and working through any remediation or follow-up tasks (5%)
The top-2 most time consuming most time-consuming aspects are adding little value to improving security. They’re focused on finding what information I need and who I need to get it from.
Saving time with automations
Luckily for buyers, those tasks can easily be solved by automating a number of key tasks in the process. This can start from the very beginning at vendor intake. With a solution like Whistic, employees can enter in all of the relevant information needed about the vendor and once it’s submitted, the assessment can be kicked off automatically. This eliminates the need for the InfoSec team to track down contact information and other details about the vendor and allows them to focus on actually vetting the risks associated with the vendor.
Next, when it comes to evaluating the inherent risk of a vendor. There are a number of tools available, like RiskRecon, that allow you to have a continuous view on the risk of your vendors and make it easy to implement plans on how to reduce that risk or remediate it altogether. Continuous risk monitoring is important because a vendor’s risk levels can change over time for a number of different reasons and you want to make sure your company has the most up-to-date information.
Another time consuming step in the process is making sure the vendor completes the questionnaire and provides you with all the documentation you asked for in a timely manner. A good vendor assessment tool will have automated reminders and notifications in place to ensure that each assessment is progressing toward completion.
Finally, it can be hard to remember when reassessments need to take place, but this is a process that is easily automated as well. Depending on the risk level you should set reassessments to happen as often as every six months or as little as every other year.
How Whistic can help
The Whistic Vendor Security Network simplifies the vendor assessment process by making it easy for vendors to compile, publish, and share all of their security information and for buyers to access all of that information in one place.