Solving Top Pain Points Related to Vendor Security Assessments

May 04, 2021

It’s no secret that many in sales don’t always have the best things to say about the security review process. Traditionally they have caused deals to slow down or even stop altogether because of the security review dead zone.

Like the old saying goes “Time kills all deals,” and this has proven to be the case time and again for sales teams. Recent research by Whistic has found that 37% of respondents in SaaS sales have had a deal push because they couldn’t respond to security reviews or meet customer expectations in time and 35% lost a deal outright for those same reasons.

Existing, manual processes are also difficult for InfoSec teams. They elongate buying cycles and increase time to value for key stakeholders in the business. And because there are so many vendors to assess each month, it is hard to keep track of the status of each one.

But it doesn’t have to be that way. There are tools that can be implemented and strategies to put in place that will take much of the security review burden off of sales and drastically improve the process of assessing vendors for InfoSec. Over the course of this post, we will highlight the top pain points related to vendor assessments from the State of Vendor Security Report and discuss best practices for addressing and resolving those pains.

 

Top Vendor Assessment Management Pains

  1. Lack of streamlined, automated vendor assessment process
  2. Vendor assessments take too long
  3. Poor vendor experience discourages participation
  4. Lack of visibility, reporting and system of record
  5. Can’t keep up with the backlog of initial and ongoing assessments
  6. Lack of streamlined, automated vendor assessment process

 

Up until the last couple of years, most vendor risk assessments involved filling out a spreadsheet questionnaire and going back and forth between buyers and sellers via email until it was answered to their satisfaction. Luckily nearly 60% of businesses have adopted a tool to help them better manage and automate assessing vendors and responding to vendor assessments.

One of the biggest benefits that a vendor security tool can bring to the table is the ability to share detailed information about your security posture with customers before they even ask for it. This has proven to speed up deals and in many cases, eliminate the security review dead zone all together. That’s because you’ve been able to respond to questions they may have about the potential risks of partnering with your business.


SOVS Cover

Read the 2021 State of Vendor Security report

In our 2021 report on vendor security, we highlight the current state of vendor risk management, identify trends we’re seeing in the industry, and provide recommendations on how to improve the process for buyers, sellers, and other key stakeholders.

Learn More

 

One of the biggest benefits that a vendor security tool can bring to the table is the ability to share detailed information about your security posture with customers before they even ask for it. This has proven to speed up deals and in many cases, eliminate the security review dead zone all together. That’s because you’ve been able to respond to questions they may have about the potential risks of partnering with your business.

For InfoSec teams, ditching spreadsheets and emails in favor of a tool built specifically for managing vendor assessments makes it easier to track progress, assign risk, and accelerate time to value for the business.

 

Vendor assessments take too long

We mentioned it in the intro but it bears repeating: time kills all deals! The longer you take to close, the more opportunity your prospect has to raise another objection, get cold feet, or back out altogether. 

According to the 2021 State of Vendor Security, responding to a vendor risk assessment can add up to 6.3 days to the sales cycle on average. And that number gets higher if there are clarifications needed, which happens nearly 60% of the time.

But implementing new tools and taking a proactive approach can lessen the time needed to respond to reviews. Another way to accelerate the sales process is by publishing your detailed security profile on your website and on databases like the Cloud Security Alliance STAR Registry and Whistic Trust Catalog

This makes it possible for customers to conduct zero-touch assessments of your security posture early in the sales process without any additional work by your team. These databases also make it easier for InfoSec teams to evaluate the potential risk of a vendor before even engaging them.

 

Poor vendor experience discourages participation

Not to beat a dead horse, but traditional, manual processes that were built around spreadsheet questionnaires and email aren’t a good experience for both the buyer or the seller. As a result, there are times when the vendor will determine the effort to complete a lengthy, cumbersome questionnaire just isn’t worth it.

This problem can be solved for the most part if each industry, vertical, and business size determined on an agreed upon standard or group of standard questionnaires. This would mean that once a questionnaire had been completed, it would only require periodic updates, and not be completed anew for each customer and their customized questionnaire.

 

Lack of visibility, reporting, and system of record

One of the hardest parts about the traditional vendor assessment process was how hard it was to track and manage. You had a different spreadsheet for each vendor and all the communication was handled via email. What was needed was a single source of trust to track the security posture for all of your vendors.

This problem can largely be solved by addressing the first pain point. Implementing a tool to manage vendor assessments can pull the security all of the security documentation into one place, making it easier to evaluate risk, track progress of assessments, and know when you need to conduct reassessments. 

 

Can’t keep up with the backlog of assessments

The work of an InfoSec team is never done. Once you complete one assessment, there’s another one (or five or 10) waiting for you. But much of that backlog can be mitigated by automating key processes like following up on assessment requests or initiating reassessments and utilizing directories like the Whistic Trust Catalog to conduct zero-touch assessments.

 

How Whistic can help

Whistic Profile simplifies the process for sharing your security posture and responding to vendor assessments. This helps your salespeople close deals faster and enables your InfoSec team to re-allocate their time to more strategic initiatives.

While Whistic Vendor Security makes it easy for InfoSec teams to manage the process for assessing vendors, automating and streamlining many of the key activities, which results in a better experience for the InfoSec teams and their vendors alike.

Whistic’s modern approach to vendor risk management accomplishes this by making it possible to respond to vendor assessments in minutes, not days or weeks, and virtually eliminates the security review dead zone by promoting proactive sharing of security posture early in the sales cycle. 

Learn how Whistic can help your business by requesting a demo today, or if you want to learn more about the trends discussed in this post, download the 2021 State of Vendor Security.

vendor risk management vendor assessment cloud security vendor security review vendor security management

About the author

Whistic
Whistic

The latest insights and updates on information security and third party risk management.