Request Demo

In an ongoing effort to secure their organizations, CISO’s are continually challenged with an ever-expanding list of vendors and vendor risk. In fact, 75% of mid-sized companies and enterprises expect their vendor list to grow by 20% or more in the coming years, while only 38% are very confident that they know that number of vendors with privileged access to their systems. 

When iterating on a VRM process or system, start with the end in mind. Defining where you and your team need to go as your vendor list expands will create a framework to assess VRM tools necessary to augment your team’s ability.

Deloitte recommends starting with these three facets of your VRM process and strategy:

  1. The business requirements in terms of the problem that needs to be solved
  2. The areas of risk within the lifecycle
  3. The types of third parties that need to be managed
  4. The business requirements in terms of the problem that needs to be solved
  5. The areas of risk within the lifecycle
  6. The types of third parties that need to be managed

Mapping your business needs and processes to a platform solution allows you to reframe the tools you’re looking to integrate as a means to augment your already defined strategy, rather than defining your strategy around a tool you’ve already bought. 

Critical features for a supply chain/vendor risk management solution 

Risk assessment process and workflows

The ability to organize vendors, their services, and contracts into different tiers of risk. Ensure that the platform supports customization for detailed assessment of risks associated with each vendor, their services, and the level of access they require. The platform must also be able to assess these impacts against your organization's compliance requirements and prioritize each vendor based on the level of risk they bring. Lastly, your VRM platform should be able to map the vendors, their risks to controls, owners, remediation actions, vendors, business entities, performance metrics, and others.

With a VRM solution or IRM solution with VRM capabilities like CyberStrong, risk tiering is seen with scoring and color coding representing levels of risk.





Platforms such as CyberStrong provide environments to store a lost of contracts and score risk and compliance for each contract.

In the case of primary contractors needing to assess their own subcontractor supply chain, a strong VRM solution will be able to support the assessment of the entire supply chain. As seen in the CyberStrong screenshot, users can distribute assessment questionnaires and manage those assessments through the platform. 











A strong VRM platform such as CyberStrong will provide the flexibility to support any mandate as well as custom hybrid frameworks. 









It is critical that any VRM solution you select supports your entire team. Make sure that your solution allows your organization to communicate and share information about vendor risks and remediation.

Capable VRM platforms/IRM platforms such as CyberStrong empower team collaboration with control assignment notification, due dates/scheduling, assessment owners, and team access

Contract management


A VRM solution must support the creation and maintenance of contracts and services associated with a vendor, and the ability to assess the controls and risks associated with each. Ensure that your VRM solution can provide a central location to access these - CyberStrong offers evidence attachment to allow your team easy access.



Control assessment and monitoring


Any VRM solution needs to provide the ability to assess the effectiveness of controls and carry out ongoing monitoring of vendor risks. At a minimum, a solution must support the workflow for the application's other functions, such as exception management and reporting.

Your VRM solution should provide a comprehensive dashboard to show the effectiveness of the controls you put in place as well as the compliance status of each. As you go about implementing your VRM process, ensure that your VRM platform can task out actions with notes and automated reporting to streamline your team.

(SSP, POAM, and RA one-click reports, Executive Risk Report, Trend Report, GDPR Report, Overview Report)



Exception management


The ability to manage vendor risk exceptions in relation to control requirements, the compensating controls to mitigate risks, and periodic reviews of whether exceptions are still required.

In the CyberStrong platform, you can use N/A feature to exclude controls for specific vendors. 


The ability to see the IT VRM status of an earlier time, such as a past quarter or year. Make sure you establish early on in a vendor relationship when they will snapshot their status in your VRM solution and that they have the capabilities to do so.


Access and user controls

The ability to provide roles for personalized access to an IT VRM application, and to assign relationships between job roles and individuals, and risks and controls.A strong VRM solution such as CyberStrong will allow you to build teams with Admin, Manager, Collaborator access levels and permissions

Remediation management

The recording of action plans to identify control failures and other VRM deficiencies, and to track those plans to fulfillment. The CyberStrong platform uses a spider graph to visualize the the current state of a vendors profile against the desired scores. This 'always on' remediation plan increases transparency between both parties and is an easily accessible visualization they can report against.

Vendor performance management

The ability to collect performance data and assess it against expected service levels and deliverables. For example, the CyberStrong allows you to benchmark your current control set against a ‘Magic Cookie’ target. Also know vendors are improving and always have a plan of action in place to remediate.



Third-Party Content Delivery

This includes news feeds, ownership structures, lines, safety violations and financial performance, risk-related alerts, and risk ratings. Foundationally, ensure that your solution allows you to attach documentation as a central storage location for your team.



Vendor profile management

The ability to import vendor and related contract (engagement) data from other systems, or to input it manually; the ability to collect and organize intelligence about vendors; the ability to manage vendor documentation and other content; and vendor self-service capabilities that enable vendors to maintain and update information themselves. Your VRM solution should allow vendors to access and manage their own profiles to an extent.

Future-proofing your VRM solution

With artificial intelligence augmenting security teams more and more, consider exploring VRM solutions that integrate some form of artificial intelligence. The CyberStrong platform uses patented AI and machine learning to provide a live threat feed and remediation suggestions tailored to your organization organized based on impact.

With more and more peripheral competencies being outsourced by enterprises, a strong VRM solution is critical. This goes beyond regulations such as DFARS. As security becomes a selling point for organizations, the security of your network of vendors becomes all the more critical. By connecting your VRM program to empowering other business units, you more easily get buy-in from other senior leadership and ensure that the enterprise stays secure.

Read more about the value of an integrated risk management approach and critical capabilities of an IRM solution in the CyberSaint IRM Solution Buying Guide

You may also like

Contextualize Quantified Cyber ...
on April 11, 2019

Now more than ever, CISO’s are being tasked with delivering hard metrics around an enterprise’s technology and digital risk. While this is nothing new for seasoned IT ...

NYDFS Implementation Grace Period ...
on April 9, 2019

Following the Equifax breach and growing concerns about the posture of the financial industry, New York State Department of Financial Services (NYDFS) released the initial ...

CEO's - Do You Know Where That ...
on April 5, 2019

It is no secret that cybersecurity has mystified many members of the C-suite since the function was introduced. With headlines dominated by breaches and hearings of information ...

Jerry Layden
Carbon Black Report Indicates ...
on April 2, 2019

In their third Global Incident Response Threat Report our Massachusetts neighbor, Carbon Black, illustrates not only the top industries for cyber attack but a deeply concerning ...

Legacy GRC And The Sunk Cost ...
on March 28, 2019

Last month, we covered how legacy GRC products and new integrated risk management (IRM) solutions can co-exist and in fact compliment each other. That said, in order for them to ...

Alison Furneaux
What To Expect From The Imminent ...
on April 6, 2019

While the NIST Privacy Framework may be the headliner for the most anticipated new publication from the National Institute of Standards and Technology, there are two imminent ...