What Every CISO Should Know About Vendor Risk Management

May 29, 2018

As a Chief Information Security Officer (CISO), your entire role centers around keeping your organization, technologies, infrastructure, employees, customers, and any other stakeholders protected. Born out of this day and age of cyber crime, phishing attacks, data breaches and malicious threats, CISOs have a lot to juggle, and keeping all of the balls in the air can be a major challenge — especially with so many aspects of security to consider.

You’re intimately familiar with vendor risk management (VRM). After all, you can’t go more than a day (or even a few hours) with hearing about cybersecurity or reading about a third party-related attack. But are you spending enough of your time ensuring you have a rock solid vendor assessment program in place? Are you sure that your current and prospective vendors have a buttoned-up security posture? How often do you revisit your processes to make sure nothing slips through the cracks?

With everything else on your plate, it’s all too easy for CISOs to step away and let their IT or InfoSec teams handle the nuances of vendor risk management. But backing away could be a major mistake. In this article, we’ll take a look at 4 things every CISO should know about vendor risk management:

  1. Vendor risk management is here to stay

There are several coinciding factors that each play a significant role in vendor risk management. Thanks to all of these environmental changes over the past years, we’re experiencing what some call a “wave of vendor security reviews” that is only going to become bigger and more important as time goes on and as technology continues to advance and evolve.

Two major factors that play into the growth of VRM include a 5X increase in SaaS adoption as organizations adopt new technologies ad nauseum and an increase in regulatory requirements (such as GDPR) as governments and other organizations put safety measures in place. Because of these factors — in addition to the size and cost of breaches (which we’ll cover next) — the necessity and intensity of vendor security reviews will only continue to increase over time.

2. Vendor-related data breaches are becoming an increasingly big deal

If you’re a frequent reader of our blog, then you’ve likely seen this stat before, but it’s an important one to pay attention to: 63% of data breaches are linked to third parties in some way. Because of this astoundingly high data breach number linked to vendors, organizations are being forced to tighten their grip on data while simultaneously ensuring their vendors are doing the same so they aren’t vulnerable to attack. And when data is compromised through an attack — regardless of who’s at fault — the average U.S. data breach costs $7.1 million.

With those numbers in mind, no organization can ignore the importance of vendor risk management and the assessment process, which seeks to mitigate risk before security issues can even begin to unravel.

3. You’re already spending significant resources on this problem

Whether vendor risk management has its own line item in the budget or not, your team is spending significant resources on this problem already. Many companies don’t have a vendor assessment software to assist them in conducting third party risk assessments, so there isn’t a direct line-item cost associated with vendor security reviews at that company. For instance, if done manually, every time a vendor assessment is conducted, someone on your team has to check off each and every one of the following tasks:

  • Track down appropriate vendor contacts or internal stakeholders
  • Communicate internally with stakeholders during the procurement process to facilitate the security review
  • Gather information on the services the vendor will be providing
  • Understand which of your company’s information or applications the vendor will have access to
  • Determine what risk level the vendor poses to your organization
  • Piece together the right questions for the vendor
  • Send a questionnaire request to the vendor
  • Follow-up with the vendor to remind them to complete the questionnaire
  • Review vendor responses and documentation to evaluate risk
  • Draft action plans or determine next steps required by the vendor in order to protect your organization
  • Ensure that you have organized questionnaires and documentation in appropriate repositories for storage
  • Determine when you should reassess the vendor in the future

Now, consider that this process must take place for every single vendor assessment, and even vendor renewals. It’s likely that vendor risk management is costing you far more than you realize (in fact, we’ve actually run calculations to determine that vetting just 24 vendors costs approximately $20,000 per year!). And of course, without a solid process, it could cost you even more.

4. There’s a much better way to approach to managing vendor risk

Thankfully, vendor risk management doesn’t have to be a time-consuming burden. Whistic’s vendor assessment platform exists to replace your manual, error-prone vendor assessment processes. Your team is buried in the day to day work of conducting and responding to third party risk assessments when they could (and should) be focusing on the bigger picture: protecting your organization and keeping customer and employee data safe and secure. A vendor assessment platform like Whistic can help them stay focused on the high level initiatives while the important day-to-day tasks of vendor assessments are completely automated, tracked, and stored.

Ready to Learn More?

Check out our resources below for more third party vendor best practices and insights on how your organization can effectively approach security assessments.


Why Third Party Security is Critically Important

Request a Live Demo with a Whistic Product Specialist

cybersecurity vendor risk management security review third party risk ciso

About the author


The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.