Overcoming the Challenges of Vendor Onboarding and Security Reviews

November 21, 2017

It’s no secret that organizations are adding new software solutions to their tech stacks at break neck speeds. Regardless of organization size, departments are finding uses for all kinds of niche vendor tools and broader solutions. Let’s take the MarTech landscape for instance. Since 2016, the landscape has grown by nearly 40% to a total of 5,381 solutions available to marketers (from 4,891 unique companies). From email tools to analytics and website plug-ins, the solution options are vast. And of course, marketing leaders have to quickly adopt solutions to keep up with competition.

Like the MarTech situation, similar circumstances can be identified across departments such as sales, human resources, customer service, administration, development, and the list continues. Every department (and even individual employees) need solutions to help them accomplish their jobs faster, with more insights, and with better results.

Rapid SaaS Adoption Exposes Big Problems

New vendor adoption isn’t slowing down anytime soon, and now, thanks to cloud solutions, it’s easier than ever for organizations, department leaders, and even individual employees to sign up for a new service with just a couple of clicks or a few phone conversations with a sales rep. Once the terms of service are accepted via a mouse click or the MSA and contract is signed and in place, then voila! the new solution is up and running. Unfortunately, though, what most employees and even department leaders don’t understand is that each of those new vendor applications can expose the business to outside cybersecurity threat. APIs, access to files, personally identifiable information, and even employee data can all be compromised if a solution isn’t first vetted.

According to a Cisco study, companies are using up to 15x more cloud services to store critical company data than CIOs were aware of or had authorized. This is thanks in large part to the proliferation of Shadow IT, which is defined as, “Information-technology systems and solutions built and used inside organizations without explicit organizational approval. Cisco’s report goes on to reveal:

“…IT departments estimate their companies are using an average of 51 cloud services, when the reality is that 730 cloud services are being used. One year ago the multiple was 7x, six months ago it was 10x, today it is 15x and given the exponential growth of cloud, we predict that by the end of this calendar year it will be 20 times or more than 1,000 external cloud services per company.”

We shared in a prior blog post, how Google, the epitomized cloud vendor, was recently the vehicle for a widespread phishing attack that was so severe the United States Computer Emergency Readiness Team issued a statement. The attack spread because of the proliferation of these tools within businesses.

The problem is — as the Google Docs example so clearly demonstrates — that regardless of how reputable the solution or the company, information security teams must be able to assess vendor risks prior to a new solution being purchased. However, that scenario is becoming less and less common, which is resulting in significant risks and some notable data breaches.

The Importance of the Vendor Assessment Process

The vendor assessment process is just that — a process usually led by the information security team in which the potential vendor’s security practices, policies, certificates, and audits are reviewed to ensure the vendor is a good fit. During the assessment process, the information security team should prioritize the vendor based on inherent risk and also compare third parties against a set of predefined criteria by reviewing vendor questionnaires, documentation and metadata.

While the vendor assessment process adds a major safeguard and can serve to prevent security breaches, the process only works if the information security team is made aware of vendor requests before the contract is actually signed. And while that may seem like an obvious observation, it frequently does not happen in that order. If a new vendor is brought on without proper vetting, then the risks are already at play and little can be done to proactively work against threats.

A 2016 Ponemon Study highlighted the current state of affairs as it relates to new vendor security reviews:

“…only 38 percent of respondents say that before starting a business relationship that requires the sharing of sensitive or confidential information their company evaluates the security and privacy practices of all vendors.”

Does Your Organization Have a Vendor Risk Management Program?

Regardless of size, every organization that utilizes cloud solutions should have a vendor risk management program in place. It does no organization any good if departments or employees are able to bring on new vendors without first receiving proper consent.

Fortunately, the vendor risk management program doesn’t have to upset current operations or even delay the process, which is key since departments can’t miss a beat. Whistic’s vendor assessment platform has a built-in “vendor request form” that departments and employees alike can use whenever they are considering a new tool or solution.

Once the information security team (or whichever team is in charge of reviewing new vendors) receives an automatic notification that a request has been initiated, then the vendor assessment process begins.

For organizations that are wary of implementing a new step in the process, Whistic now offers an API integration with procurement software to trigger a security review without even disrupting the current procurement flow.

It’s simply unacceptable for an organization to operate by turning a blind eye to new vendors being onboarded without proper vetting. While a decentralized process may seem to be working today, it’s only a matter of time until a breach or threat causes the organization to take a close look into creating a vendor assessment process. Rather than working reactively and having to deal with the major headache of a vendor security issue, be proactive by setting up a process that all stakeholders can easily adopt.

Ready to Learn More?

Check out our resources below for more third party vendor best practices and insights on how your organization can effectively approach security assessments.


Why Third Party Security is Critically Important

Product Demo:

Request a Live Demo with a Whistic Product Specialist

information security cybersecurity vendor management cyber risk management it risk management

About the author


The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.