For InfoSec teams dealing with vendor risk management, questionnaires and assessments can sometimes be a double-edged sword. On the one hand, these assessments offer an in-depth look at a vendor’s security posture and controls. On the other hand, most assessments only present a point in time look at this posture, meaning that any changes after the fact will go unnoticed.
For many InfoSec teams, building scalable, flexible vendor risk management programs that can be changed, updated, and re-assessed without any risk to the security or privacy of protected information is challenging. However, in this modern age of open-source, cloud-based data sharing, these flexible programs are precisely what vendors (not to mention customers, prospects, and partners) expect from SaaS organizations.
Building strong connections with vendors
However daunting the task may be, it is possible to set up a scalable, lasting vendor risk management program with vendors and still be able to check-in and keep security controls up to date. Here are a few tips for building strong connecting with vendors:
- Do a yearly vendor audit to ensure security controls are up to date across the board.
- Check in with industry benchmarks, resources, and other educational tools to ensure your team is leveraging the most current assessments and questionnaires.
- Establish some vendor outreach and/or updates program and send a quarterly newsletter out to vendors with new security program changes.
- Equip your sales and/or vendor contact team with the most recent version of your security controls so they can share changes with vendors.
- Set the expectation of ongoing updates or changes with your vendors during the onboarding process.
Optimize vendor relationships with Whistic
Vendor risk management is constantly changing and evolving, which means your vendor’s security controls are constantly changing. This could mean you or your vendors are adding and/or changing questionnaires on an ongoing basis. Additionally, as things change, you may need to completely revise your security posture and send updates to your vendors to keep them informed.
With Whistic, your InfoSec team can seamlessly make changes to assessments, publish these changes, and then alert your vendors of the new updates. If your vendors leverage the Whistic Security Profile as well, you will be notified of any changes or updates on their end as well. Additionally, Whistic allows InfoSec teams to visualize a holistic picture of all vendor connections and integrations. As soon as there is a potential gap, your team can work to set things straight.
Whether you’re a buyer looking to assess vendors or a team looking to streamline the security questionnaire process, Whistic can help. You can learn more and schedule your personalized look at the Whistic Security Profile here.