Managing a vendor assessment program is hard, especially if you’re trying to do it on your own with limited resources. In this section, we’ll talk about things you can do to offload some of your responsibilities to improve the quality of your program and help you minimize third party risks in your environment.
Value of exchanges in increasing
One of the easiest ways to improve efficiency in your vendor assessment is conducting zero-touch assessments of security documentation that has been published in exchanges like the Whistic Trust Catalog and CSA STAR Registry, among others.
Instead of chasing down vendors and wasting time in seemingly endless email back and forths, these exchanges provide companies with the relevant information needed to make a determination on the risks associated with adding on this particular vendor to your environment.
Recent research by Whistic found that 90% of survey respondents indicated that if a company’s security documentation was available on-demand either through an exchange or published to the company’s website it would speed up the vendor assessment process. The research also found that it would save InfoSec teams an average of 12.3 hours a week assessing vendors.
The same can be said for vendors responsible for responding to questionnaire requests. By publishing documentation to exchanges, they’re simplifying the process for themselves. As mentioned previously, doing the work up front saves time and resources in the long run because it will eliminate many one-off assessment requests.
Managed services becoming more integral in the vendor assessment process
Whether you’re a small business just building out your vendor assessment practice or a large enterprise with a mature program, managed services are likely to play a larger role in the process in 2022 and beyond. Managed service providers offer expertise that you may be lacking and can zero in on the specifics of identifying potential risks, and on the other side of the transaction they can help you create a proactive process that streamlines responses to assessment requests.
Read Our New eBook: 4 Vendor Security Trends Whistic is Watching in 2022
In this ebook, we’ll dig deeper into each of these topics and provide actionable ways you can incorporate them into your vendor security strategy going forward.
Define key metrics up front
When engaging with a third-party managed service provider, you need to define the key metrics on how they will be measured based on quality of work, timeliness of service, etc. It’s also important to build in credits for scenarios when those metrics aren’t met.
Make technology and MSP a package deal
It’s best to work with a managed service provider that’s bringing the vendor assessment technology to the table as well. Managing the assessment separate from the MSP is more difficult and typically more expensive.
Find an MSP that's flexible
Every business is different. Just because something worked for one of their clients doesn’t mean it’s going to work for you. Make sure they’re willing to customize the program to meet your needs and the maturity level of your business.
Understand the assessment methodology
Not all assessments are created equally. Make sure you understand the ins and outs of how your MSP is going to assess vendors, what level of assurance, documentation, and validation is going into the process. How thorough the assessment is is also going to impact the price, so keep that in mind when making your decision.
Just because you’re outsourcing the execution of your program, doesn’t mean you’re not responsible for the oversight and governance of it. Managing vendor risk isn’t something that you can just set and forget, you should stay involved and help shape the direction of the process.
To learn more about 2022 vendor security trends according to Whistic, download our latest ebook and be on the lookout for our next blog post that will dig into the importance of standardizing how security information is shared.