Vendor Risk management is a hot topic especially when you realize that many of the most high-profile data breaches are due to vendors or third-parties (think of the widespread impact of the Solar Winds attack). Consider the financial impact alone when you realize that experts estimate the average cost of a data breach in 2021 at $4.37m. Companies of all sizes and industries need Vendor Risk Management because all it takes is a mistake from one vendor, or third-party, and hackers potentially have access to all of your company data.
Companies that take Vendor Risk Management seriously send out questionnaires to all their new vendors to find out what they are doing to protect their data. But are they doing this in the most efficient way?
In our experience, there are 3 major challenges companies have with handling Vendor Risk Management. We face them at Ostendio too, every time we sign a new customer their security team asks us to fill out a new Vendor Risk Management questionnaire. This is a good sign for the industry, that companies are taking Vendor Risk Management seriously, but the downside is the difference in each questionnaire leads to a time-consuming process for those not using an Integrated Risk Management (IRM) platform like MyVCM. And, if you are not using a tool like MyVCM, it isn’t always easy to encourage participation in your data security program from your vendor.
Simplify Third-Party Risk Management and Vendor Risk Management using a tool like Ostendio MyVCM
What is a Vendor Risk Management Assessment?
Vendor Risk Management questionnaires can be in the form of a one-page narrative or, at the other extreme, you can receive a 20-tab excel spreadsheet with 20 questions per tab. I’m sure this sounds familiar to many busy CISOs. If you are lucky, maybe your customer is using a common format such as shared assessments or even just using questions from a security framework like NIST CSF. But too often, Vendor Risk Management assessments include many proprietary requirements that are specific to the requesting organization. This means vendors have to go through the process of providing individual responses question by question in order to complete the requested information.
While many organizations have tried to solve this problem through a combination of Professional Services and centralized questionnaire responses, like CyberGRX, or even trying to standardize the questions - eg. shared assessments, nothing solves the root of the problem which is how to map internal processes to meet the customer’s assessment. Organizations need a way to build internal controls and map them to any format as it comes in. This problem is compounded when customers also require vendors to have passed a SOC2 or other security audit. However, even meeting this requirement can still be followed by the request for a Vendor Risk Management assessment. This is especially frustrating for CISOs who have already gone through a security audit and now need to map those audit controls to a customer-designed form.
Fix the 3 most common Vendor Risk Management challenges with Ostendio MyVCM
Using a tool, like Ostendio MyVCM, helps companies address the 3 most common Vendor Risk Management challenges and makes answering questionnaires a streamlined and efficient process for any busy CISO.
Challenge 1 - The staffing and expert help required to answer assessments
Some companies choose to use Professional Services experts to complete Vendor Risk Management questionnaires which can be time-consuming and expensive. They need to manually map inbound assessments with data already held by the organization. This can be time-consuming when external Professional Services individuals are unlikely to be familiar with an organization’s internal controls.
Challenge Solved with Ostendio MyVCM
By using MyVCM, organizations build a robust data security and risk management program that is always on and ready to respond to vendor risk assessments. MyVCM stores an organization’s documentation and evidence that shows the policies the company follows in order to pass security audits and meet the requirements of various standards and frameworks. When a vendor assessment is requested, the MyVCM customer can map the evidence held in the MyVCM instance with the relevant questions. Vendor Risk Management questionnaires can be completed quickly and there is no need for external staffing.
While it may appear to make sense to have a Centralized Vendor Assessment Repository where a company can store all of their vendor responses and allow customers to source this information, the reality is that the questionnaires require information in different formats and customers are not happy to use a centralized resource. In addition, this repository is offline and the information quickly becomes stale and out of date. The level of effort to maintain this information at a separate location is often greater than the problem it is solving.
Challenge Solved with Ostendio MyVCM
By using Ostendio MyVCM to build your data security and risk management program, data is stored in real-time on the platform. Data is also updated in real-time and available in real-time so questionnaires will include the most up-to-date information. This means there is no need for any centralized vendor assessment repository because MyVCM holds the latest information and is complete with version control and approvals. MyVCM also makes it simple to respond to customized assessments by mapping information already maintained on the platform to the customer questionnaire. For example, if the MyVCM user has already completed a SOC 2 audit, evidence and documentation from that security audit can be mapped to the questions in a vendor risk assessment. This saves time, effort, and money when completing a vendor risk assessment.
Challenge 3 - Using a common assessment format
While services like Shared Assessments have become popular over the past few years it is still a manual process. Fundamentally, Shared Assessment is still a spreadsheet and while it standardizes many of the controls and alignment with a system like NIST CSF, not everyone in an organization uses it, and there is still often a desire to customize and add proprietary questions.
Challenge Solved with Ostendio MyVCM
MyVCM is a fully integrated risk management platform that includes all employees in building a culture of security in an organization. It does away with the need for manually completing forms and questionnaires and makes spreadsheets redundant.
Protecting customer data by completing a vendor risk assessment
When customers use the industry-leading MyVCM platform they are automatically part of the MyVCM Trust Network. The MyVCM Trust Network™ connects organizations with their vendors to help them safely share security information. MyVCM Trust Network members can invite their vendors to complete custom risk assessments and share information easily and in real-time.
This allows vendors to demonstrate compliance to their customers in a real-time, always-on fashion, easing sales processes and reducing compliance burdens.
Companies can mandate that vendors provide their compliance information directly with them, via the Ostendio MyVCM platform. This dramatically reduces the risk of vendor-related data breaches.
MyVCM Vendor Connect creates a living ecosystem of vendor assessments. Companies can invite vendors to create and maintain online records of their security and compliance readiness via assessments. Responses link to supporting documentation that is easily accessed and kept up to date. Companies can designate assessments to vendors based on specific regulations, or tailor them to their specific requirements. Learn more about managing your Vendor Risk by scheduling a time to speak to an expert at Ostendio.
Not sure where to start?
The NIST Guide can help. We can also provide you with a free copy of Ostendio’s password policy, as an example. Just contact us at firstname.lastname@example.org.
Webinar: Pass Your Audit First Time
Watch this on-demand webinar to learn more about best practices for a successful security audit.