Part 1: Get Access to or Build a Third Party Vendor List

August 14, 2017

At any given time, organizations should be able to review a complete list of all vendors and their services as a first step in understanding the risks associated with third party vendors. If you don’t know who your third parties are, how can you categorize the risks associated with those third parties? Yet, 67% of companies don’t inventory their vendors or what information they are accessing, according to a recent Ponemon Institute© Research Report.

“Only 33% of companies have an inventory of their third party vendors and the data they have access to.”

Lack of a vendor inventory list is potentially a sign of an immature third party program and could mean that an organization is opening itself up to significant risk. This is particularly true when you consider that, according to Trustwave, 63% of data breaches are linked to third parties in some way.

But for many organizations, regardless of size or industry focus, this type of inventory list doesn’t exist. And while it may seem like an easy asset to build, it can be a cumbersome process if you don’t know where to start or, perhaps more importantly, who to ask.

Over the next several weeks, we’ll address each of the 5 steps we outlined in our latest ebook, “Why Third Party Security is Critically Important”. Today, we’ll start with Part 1 of the series, “Access or Build a Third Party Vendor List”. Let’s get started:

How to Build Your Vendor List

Obtaining the list of vendors isn’t usually as easy as walking into the finance department’s office and asking for the list. So where should you start?

  • Step 1: Visit the Procurement Team

The first step is to visit the Procurement team. If they have a procurement software (like NetSuite, for example), then it’s likely they have access to the basic level of data and can run an export to identify vendors that your company pays, whether annually, quarterly, or monthly.

If the Procurement team can provide you with the list of third party vendors, it still may be helpful to do an audit of Shadow IT that could be pervasive across the business (see step 2). However, you have the basic list that you need, and can continue building upon it as new vendors surface or as new software is procured.

  • Step 2: What If Your Procurement Team Can’t Help?

If your company doesn’t utilize a procurement software or doesn’t have a dedicated procurement team, then a good place to go next is to the accounting department as they will typically have a list of all the vendors your company pays on a regular basis. Even then, you may need to work with these teams to take a deeper look at each department across the entire company so you can determine which teams (or individuals) are using software, programs, and even apps that the company is paying for. Most companies aren’t aware that a significant amount of company resources are spent on Shadow IT, which is classically defined as, “Information-technology systems and solutions built and used inside organizations without explicit organizational approval. It is also used, along with the term ‘Stealth IT’, to describe solutions specified and deployed by departments other than the IT department.”

In fact, according to the report entitled, The 2016 Global Cloud Data Security Study,“…Roughly half of all cloud services and corporate data stored in the cloud are not controlled by IT departments, two-thirds of sensitive data stored in the cloud is left unencrypted, and more than half of companies are not proactive in their compliance with privacy and security regulations for data in cloud environments.”

A recent Cisco study added that the average business believes they utilize 91 cloud services while in reality, over 1,220 are discovered. This is a gap of 15–25X cloud services that are sourced without any involvement from IT.

The point is, even if your Procurement or IT team can export a list of known companies on your third party vendor list, there are likely hundreds (if not thousands) of other software solutions being used across your organization by individuals or teams that your Information Security team has no access to. How is that possible? They’re simply expensing the charges by using their corporate credit card or they’re using personal credit card information for the transactions. Take the example of Dropbox for instance. For $9.99 a month, an employee may charge the amount to his personal card and not expense the menial amount, but also use the storage for personal files. Meanwhile, it all slips past the IT, Information Security, and Procurement teams.

Step 3: Build a Process to Store The Vendor Information

If your Information Security team has no idea that a vendor is being used at your organization, then how can they protect you from the threats of a cyber attack? They can’t. That’s why it’s critical that you create a process around updating the list and ensuring it’s always accurate. You can utilize:

  • A procurement software
  • Google Sheets or a cloud-based collaboration tool
  • A third party SaaS optimization platform, such as Zylo or VendorHawk

The key is to make the process of updating simple for your team. You don’t have to use a fancy software to build or maintain the list. The key? Start somewhere and keep building upon your foundation. As your inventory grows and your data gets validated, you’ll feel a greater sense of security knowing that you’re at least aware of the total scope of your third-party security needs.

Ready to Learn More?

Check out our resources below for more third party vendor best practices and insights on how your organization can effectively approach security assessments.


Why Third Party Security is Critically Important

Request a Live Demo with a Whistic Product Specialist

Risk Management information security cybersecurity vendor management saas

About the author


The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.