The Best Ways For Procurement and Infosec to Partner When Selecting Vendors

February 18, 2021

Picture this scenario: your InfoSec team has built a comprehensive vendor risk management strategy to ensure data protection and compliance for your clients, partners, and vendors. But one vendor partnership slips through the cracks, and come time for the vendor assessment stage of the partnership, security protocols don’t line up.  

 

Why a partnership with procurement matters

It’s a well-documented fact that most businesses have way more vendor partnerships than they initially realize. Your internal procurement team—typically a specific team within HR, building services, finance or administration—are in charge of making the vendor purchases that keep a business running. Things like marketing email service providers, CRM platforms, marketing automation systems, and even frontline InfoSec solutions all have to go through some sort of procurement process. 

While most procurement teams work with InfoSec teams to adhere to vendor security protocols to the best of their ability, there is plenty of room for things to slip through the cracks. In 2021 especially, the rise of remote work has resulted in many organizations investing in new connectivity, communication, and project management platforms for the first time. While a larger company-wide vendor might be sent through the correct assessment criteria process, smaller team-specific tools may be purchased before even thinking about compliance risk.

 

Three ways InfoSec team can partner with corporate procurement teams

All it takes is one small gap in a vendor partnership to open your organization up to third party risk. Here are three key ways your InfoSec team can partner with procurement teams when selecting new vendors:

1. Document your vendor risk management process as much as possible. 

Following any protocol is easier when there are clear instructions and vendor risk management strategy is no different. Document your entire VRM process – including how you measure vendors on inherent and residual risk – so that your procurement team can easily pick out vendors that might not comply with your vendor security guidelines.

2. Educate your internal procurement team on the importance of adhering to your assessment process. 

Sometimes, procurement teams may simply be unaware of the importance of vendor risk management and how it can protect an organization. Educating your procurement team can be part of a larger corporate education initiative to get everyone on the same page regarding data privacy and security.

3. Make it easy to partner with vendors. 

A final part of the InfoSec/procurement working relationship is ensuring that your security guidelines and processes don’t stand in the way of your procurement team actually moving forward with vendor partnerships. By automating and scaling your vendor assessment process, the InfoSec step of a new vendor partnership won’t act as a roadblock for success.

 

Streamline internal communication with Whistic 

The foundation of any great InfoSec/procurement team partnership is communication and organization. With a full-service risk management and compliance tool like Whistic, your InfoSec team can accurately document your vendor security process, share guidelines and educate other teams, and help move new vendor partnerships forward. 

vendor risk management standards vendor assessment cloud security vendor security review vendor security management

About the author

Whistic
Whistic

The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.

Close