The 4 Factors That Impact a Vendor Security Review

April 27, 2018

When it comes to vendor security reviews, time is usually of the essence. A new business sales deal is waiting on the results, a new partnership or renewal is being held up, a company that recently experienced a data breach is re-evaluating vendors, or maybe an integration is being delayed. Regardless of the reason for the vendor assessment, it’s critical to ensure it’s completed accurately and efficiently.

In our observation of thousands of security reviews, we’ve found that there are 4 major factors that impact how quickly a vendor review is completed and how willing a vendor is to go through the process in the first place. In this article, we’ll take a look at those 4 factors.

1. The Money (or Revenue) That’s On the Line

The first factor, of course, has to do with the finances that are involved in the partnership. As in most things, the more money (or revenue) that’s on the line, the more attention the review will receive. For example, if a new business contract or an existing renewal is at stake for a sales team, timing is key in order for the deal to hit during a specific quarter or month. In this case, the largest determining factor for the amount of time the questionnaire will receive directly relates to the deal’s potential contract value.

On the other hand, if a review request is conducted in the middle of a contract, such as during year 1 of a 3-year deal, the review usually doesn’t have as much urgency (unless one of the following factors are also at play).

2. Size of the Relationship

Imagine that your largest customer asks you to participate in a security review during the middle of their contract. How much priority would that task likely be given? A LOT! Your InfoSec team will do whatever it takes to address those questions and ensure that the relationship isn’t compromised or questioned. However, if a smaller customer sends your team a 300-question vendor assessment during the middle of their contract, it probably wouldn’t take priority. Instead, your team would likely respond with your standard Security Profile responses. The determining factors for how urgently to respond and how much time to put towards the review depends on both the size of the contract as well as the contract’s revenue potential.

3. Security Incident or Regulatory Requirement

In some cases, security reviews are triggered by a security incident, a regulatory requirement (such as GDPR), or even by an industry-wide threat. Imagine one of your customers experienced a cybersecurity issue in which employee data was hacked by one of its third party vendors. Of course, that organization is likely to conduct in-depth security reviews on all vendors to ensure that no other data is in risk of being compromised. Because of the nature of security incidents and the immediacy of regulatory requirements, these vendor security reviews often trump both dollars on the line and size of the relationship. Afterall, a partnership can be ended by choosing to not comply. Similarly, if a vendor doesn’t participate in a timely manner, it can send a signal to others in the industry that security isn’t its top priority.

4. Policies of the Requesting Company

Finally, a company may require a completed review on every vendor it works with in order to continue (or even start) a business partnership. In many circumstances, not participating in a security review or not submitting the questionnaire fast enough can be a show-stopper. Some companies, on the other hand, may be able to enter partnerships with vendors without initially conducting a review. This factor is certainly a case-by-case basis and should be discussed early on in the sales process in order to determine what is needed in order for the deal to continue moving ahead.

In some cases, companies care more about security than compliance and are willing to take a look at the security documentation that your InfoSec team has already prepared (such as your Security Profile) while others may require that you to fill out a questionnaire.

Regardless of how your company has responded to (or conducted) security reviews in the past, the security landscape is changing fast, and companies of all shapes and sizes across all industries are re-thinking their vendor security review processes and policies. Now, your organization needs to understand how to prioritize security reviews and have processes in place to respond efficiently and effectively whenever necessary.

Ready to Learn More?

Check out our resources below for more third party vendor best practices and insights on how your organization can effectively approach security assessments.


Why Third Party Security is Critically Important

Request a Live Demo with a Whistic Product Specialist

information security cybersecurity vendor risk management third party risk vendor security review

About the author


The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.