Most of today’s organizations, small to large, have outsourced some of their business functions to third-party vendors. Working with outside vendors has become standard practice, whether for efficiency, convenience, cost reduction, or to enable the organization to focus on doing what they do best. The thing is, third parties require access to data. And that opens the door to risk. *Psst, want to mitigate that risk? Automate your vendor risk management (VRM).
Mastercard’s State of Third Party Risk Management report indicates that 31% of third parties are considered a significant risk in the event of a breach. Yet, only 79% of organizations have formal programs to manage this vendor-based risk. However, with breaches continuously reported in the news, it’s no surprise that more than 60% of organizations said managing vendor security risk is a growing priority.
But with the company’s reputation on the line, how can organizations reap the benefits of outsourcing but still ensure the vendor does not pose a vulnerability? Can organizations truly trust their vendors? How can they ensure third-party vendor risk management? That’s where Vendor Risk Management and Security Compliance come in. Keep reading to learn how to manage security risk with your vendors, from anecdotes, the masters in Compliance automation.
VRM - vendor risk management - focuses on assessing and mitigating risks associated with vendors in your supply chain. Unfortunately, in today’s volatile cybersecurity environment, accepting a vendor’s self-attestation of security is not enough, making the vetting of vendors necessary. VRM allows organizations to manage which third parties they work with, the extent that they work with them, and which of the organization’s vendors have implemented sufficient security controls.
The goals of a vendor risk management program vary based on a company’s:
The general need for VRM security is growing. After all, data transgresses multiple international and technical boundaries. With every publicized breach, changing security and privacy regulations, ongoing remote workforce, and continuously expanding tech stack – an organization’s exposure is increasing rapidly.
Trust is paramount in business and organizations must take steps in order to become worthy of trust. An essential step in building trust is Security Compliance, in which an organization meets various standards to protect the organization's data, whether federal, state, industry, or practice-focused. When focused on IT or enterprise-level controls, Security Compliance assures that an organization can protect its data and trust that the controls address regulatory requirements, such as HIPAA for healthcare or SOC2 for the US market, or GDPR for the European market.
Trust building for vendor risk management and Compliance often overlap. For example, an organization usually needs to demonstrate Security Compliance for a specific purpose, i.e., to do business in a new market, meet strict privacy laws, or show greater trust with a targeted customer. Oftentimes, being compliant with specific frameworks requires the organization to perform vendor risk management as part of its protocols. Once this trust is established, organizations must take the next step and proactively demonstrate that worthiness to others. Meeting specific frameworks or implementing a VRM program indicates to others that your organization has done its homework and it is then important to communicate this. It’s a forward-facing step that shows that we’ve assessed our own house and supply chain as trustworthy, and now the outside world can trust us too.
But achieving this level of transparency and trust is not so simple. Kerwyn Velasco, Senior Product Marketing Manager at anecdotes, highlights some key challenges inherent in the traditional Security Compliance process. “We’ve traditionally relied on people to manage the process. There are endless manual tasks and Excel spreadsheets that need to be managed. But sometimes the people we have don’t have the right skill set, or the talent is hard to retain and the control owner is missing.” A 2022 anecdotes survey supports this sentiment: 88% of Compliance leaders find themselves facing loads of obstacles in implementing and growing their Security Compliance program. The challenges that most commonly keep them up at night include issues such as lack of manpower (47%) and lack of automation (42%).
Jake Bernardes, VP Security & Compliance at Whistic, believes that there are cultural, technical, and Compliance-related challenges regarding effective vendor risk management. Depending on the organization, managing vendor risk may be the responsibility of Legal, GRC, Procurement, or Security. He says, “It’s about getting the right people with the right skills to own this function so you can speak a common language. It’s about getting the right tech in place to automate so we can be efficient and effective. And it’s about finding the best way for the GRC function to move forward and accomplish their goals.”
In 2023, the impetus to act is becoming stronger – both for the vendor being evaluated and the organization doing the evaluation. While the onus is on the evaluator to ensure the vendor is up to par, the benefit for the vendor is clear. Compliance is a sales tool today, as it has become synonymous with trust, and it speeds up the cycle. Bernardes gives a clear comparison: “If I send you a questionnaire with 300 questions and it takes you eight weeks to respond after having to hire an outsourced consultant versus you saying, ‘here’s the URL to see all my data, let me know if you have any further questions,’ clearly the sales cycle will be much quicker.”
Security Compliance and VRM have multiple synergies regarding the need for technology and automation. Forward-thinking organizations recognize which of their processes are not working and create new ones that are automated. That means having the right processes in place instead of throwing more people at the problem. It may also mean getting rid of the 200-page questionnaires and being transparent on an open platform. Transparency means minimizing self-attestations, taking an automated, evidence-based approach to meeting Compliance goals, and proving that your organization is a reliable and trustworthy partner. In addition, when Security Compliance and VRM work together, communication about automating vendor management and controls is improved, any required remediation can be handled jointly, business priorities can be clarified, and trust is ensured.
This strategy of ensuring that Security Compliance and VRM work together has led to a powerful partnership between anecdotes and Whistic. anecdotes is a Security Compliance automation OS that uses data as the underlying force behind all decisions. It allows companies to align with frameworks across multiple domains, perform user access reviews, determine their risk management strategy, understand the relationship of controls to policy decisions, and is the mainstay for Compliance leaders to showcase their work within the organization and share it with auditors. As data is central to the platform, anecdotes supports more than 100 first-party integrations, including Whistic.
Whistic is a three-part platform that allows organizations to assess the vendors in their supply chain and make security-based decisions about working with these vendors. It enables companies to share their security posture –with a selected degree of transparency – with potential customers. It acts as a marketplace where vendors can publicly share their profiles and posture for anyone looking to hire new vendors.
Together, anecdotes and Whistic powerfully automate vendor risk management and Security Compliance to facilitate trust. anecdotes automates the organization’s Compliance posture, and then Whistic allows that organization to share it with the world. For more information, watch our webinar about building trust through Compliance and Vendor Risk Management automation, where Jake Bernardes, VP Security & Compliance at Whistic, and Kerwyn Velasco, Senior Product Marketing Manager at anecdotes, discuss the intersection between VRM and Security Compliance and how both can be leveraged to build trust with partners.