What If You Could Schedule Your Vendor Security Assessments 12 Months in Advance?

December 16, 2017

In recent years, vendor assessments have become a mandatory — albeit very time consuming — part of new third party procurement processes and onboarding procedures. As the the number of security breaches have increased dramatically (cyber crime damage costs are expected to reach $6T annually by 2021), vendors pose an increasing risk as those not vetted thoroughly can inadvertently compromise important data and personal information. In fact, we recently examined a massive security breach that Uber experienced, which was linked to two of its vendors. According to Trustwave, 63% of data breaches are linked to third parties in some way and, if left unchecked, seemingly innocent plug-ins or third party apps can become very damaging — most often with very little (if any) warning.

While the task of conducting vendor assessments has been widely adopted as a best practice by enterprises of all sizes, it doesn’t change the fact that the process can be burdensome, time consuming, and distracting from other initiatives. According to a recent study by the Ponemon Institute, 60% of companies admit that they do not have the resources to monitor the security and privacy practices of vendors with whom they share sensitive or confidential information. The fact is, vendor assessments are a non-negotiable.

Eliminating Vendor Assessment Hassle

Many InfoSec teams would agree that one of the biggest pain points in the vendor assessment process isn’t necessarily the new partner onboarding, but rather continual vendor upkeep and management. Not only do these teams need to thoroughly vet and onboard each new vendor, but they also need to keep track of the security postures and potential red flags for those that are already partners — a list that continues to grow, especially considering the rate of SaaS adoption is skyrocketing.

Due to the time-consuming nature of conducting renewal assessments each year, few companies are actually doing them. Some companies talk about using calendars or spreadsheets to track renewals for reassessment, but when the time comes, few actually take action — it’s just not feasible to conduct all of the assessments manually. The trouble is, a vendor’s risk posture can change dramatically over time, and it’s imperative that companies evaluate their vendors on an annual basis.

Fortunately, there are now technologies available that can help InfoSec teams manage vendor assessments and renewals not only efficiently, but proactively.

At Whistic, we recognize how difficult it can be for enterprises to proactively manage existing vendor relationships and monitor their security postures throughout the partnership. That’s why we’ve put an extra focus on helping teams streamline the renewal process by implementing two helpful features designed to alleviate this pain:

  1. Bulk Import Your Existing Vendor Catalog and Schedule Next Questionnaire Dates

During the implementation process, Whistic clients can provide their existing vendor list (to populate the vendor catalog) to our team, which is then loaded into their Whistic account. As a part of this bulk import, we can populate metadata such as: inherent risk, criticality, systems the vendor integrates with, contract length, # of users, etc., as well as the “Next Questionnaire Date” field. By simply adding a date in this field, Whistic will build a schedule of the next questionnaire request to automatically send out to each of your vendors with your desired questionnaire. Not only can you have an entire vendor catalog populated out of the gate, but you can have your future questionnaire requests handled for you, which is incredibly powerful!

We’ve found that many companies will do “renewal date minus 45 days” to coincide the next review with a contract renewal, and to provide plenty of notice to the vendor so they can align the proper resources internally. And since your team gets automatically notified by Whistic several business days in advance of any renewal questionnaire emails going out to your vendors, you will still have the ability to “turn off” a renewal questionnaire if that relationship goes inactive or something changes before that date. By using this functionality, an organization is able to set up an entire year of vendor assessments on autopilot during the implementation process, and then only focus on new vendor assessment requests as they come in.

2. Configure Your Ongoing Renewal Cadence Based on Risk Level

Previously, we explored how to design an assessment process that matches the risk level of each vendor. For instance, a vendor that has access to customer records, employee data, or financial information would be considered high-risk. With the list in place, Whistic’s functionality allows the security team to configure a “renewal cadence” that is triggered based on risk level of the vendor. Now, an InfoSec team can set a cadence that, for example, requires high-risk vendors to get automatically invited to re-assess every 12 months, medium-risk vendors get invited to re-assess every 18 months, and low-risk vendors every 24 months. In addition, it can also be set to run the cadence on a vendor-specific level and manually set the renewal dates, or do a hybrid of a default program with manual overrides as needed.

When you combine this functionality with the bulk import and scheduling functionality discussed above, the future of vendor risk assessments at your company will seem much less daunting! Particularly because Whistic doesn’t just send a single email and assume your vendor will respond, but the platform intelligently sends a series of email reminders tailored to the progress of the vendor until they are completely done with the process. With a system that captures vendors and triggers security reviews during the procurement process, and a platform that automates the ongoing reassessment of vendors based on risk levels and contract renewal dates, you’ll be able to focus more of your time and energy on protecting your company and customer data!

For scaling enterprises, the key is to reduce the number of opportunities for missed assessments and to identify any potential red flags as early as possible. By scheduling existing vendor assessments automatically and by taking a proactive approach to matching the assessment to the risk level, your organization can rest assured that Whistic will automatically trigger reassessments so your InfoSec team can focus on better understanding and mitigating the risks that exist in your ever-growing vendor network.

Ready to Learn More?

Check out our resources below for more third party vendor best practices and insights on how your organization can effectively approach security assessments.


Why Third Party Security is Critically Important

Product Demo:

Request a Live Demo with a Whistic Product Specialist

Risk Management cybersecurity risk assessment security vendor management

About the author


The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.