For those outside the vendor risk management or InfoSec world, it may seem as though vendor assessments and security are constantly working with top-of-the-line technology, processes, and workflows. After all, these processes are supposed to protect company data and information from malicious attacks—many of which deal with technology that is rarely known to those on the 'other side'.
It would be jarring for many, then, to realize that many InfoSec teams are working with slow or outdated processes that struggle to keep up with the cloud-based, on-demand data sharing models used by modern vendors. 2021, however, has prompted many InfoSec teams to revisit their approach to vendor assessments and vendor risk management to modernize and optimize processes.
Old-school vendor risk management
For many years, vendor assessments have required substantial manual input and data gathering from InfoSec resources. After a request for an assessment came in from a vendor, InfoSec resources would have to answer each question manually, typically pulling from a spreadsheet of 'templated' answers and then send back to the internal point of contact. Any follow-up questions or clarifications would come through this point of contact, creating an inefficient black hole of email chains, follow-up questions, and repetitiveness.
A modern approach to vendor assessments
Today, however, InfoSec teams across industries realize the need for a streamlined, modern approach to vendor assessments. As malicious threats become more sophisticated and ahead of the game, the protection and controls against these risks become more modernized.
The modern approach to vendor assessments encompasses a few big-picture items:
- Transparency: Modern vendor risk management is all about open-source transparency on all sides. First, InfoSec teams should publish their security posture for potential vendors to see and work with. Second, InfoSec resources should educate and train other departments (including sales and procurement) on handling more minor security questions. And finally, InfoSec teams should have access to a complete database of past security assessments and answers to potential security questions.
- Automation: Gone are the days of endless email chains and back-and-forth with vendors. Instead, modern vendor assessment workflows are taking full advantage of the joys of automation. InfoSec teams can share an assessment with a vendor with just one click. As updates are made to this document, they can be automatically published and visible to the vendor—no email clarification required.
- Access: One of the biggest perks of a modern vendor risk management approach is giving access to other teams outside of your InfoSec group to 'self-serve' with vendor assessment documentation. This doesn't mean that your security team is giving up control over the documentation itself. Instead, your team can give other resources access to your information to make it easy to share and spread with potential vendors and partners.
Modernize your VRM processes with Whistic
Whistic is the ultimate tool for InfoSec teams looking to modernize and optimize their vendor risk management process. From streamlining your internal vendor assessment process to making it easy to respond to inbound questionnaires. Whistic is the best way to assess, publish, and share vendor security information without risk to the documentation itself. You can learn more about Whistic here.