The Vendor Risk Management Software Buyer's Guide
In an ongoing effort to secure their organizations, CISO’s are continually challenged with an ever-expanding list of vendors and vendor risk. In fact, 75% of mid-sized companies and enterprises expect their vendor list to grow by 20% or more in the coming years, while only 38% are very confident that they know that number of vendors with privileged access to their systems.
When iterating on a vendor risk management (VRM) or supply chain risk management (SCRM) process or system, start with the end in mind. Defining where you and your team need to go as your vendor list expands will create a framework to assess VRM tools necessary to augment your team’s ability.
Deloitte recommends starting with these three facets of your VRM process and strategy:
The business requirements in terms of the problem that needs to be solved
The areas of risk within the lifecycle
The types of third parties that need to be managed
Mapping your business needs and processes to a platform solution allows you to reframe the tools you’re looking to integrate as a means to augment your already defined strategy, rather than defining your strategy around a tool you’ve already bought.
As a foundation, ensure that any VRM solution you consider has these critical features to empower your team:
Risk assessment process and workflows
Risk assessment processes and workflow give organizations the ability to organize vendors, their services, and contracts into different tiers of risk.
Ensure that the platform supports customization for detailed assessment of risks associated with each vendor, their services, and the level of access they require.
The platform must also be able to assess these impacts against your organization's compliance requirements and prioritize each vendor based on the level of risk they bring. Lastly, your VRM platform should be able to map the vendors, their risks to controls, owners, remediation actions, vendors, business entities, performance metrics, and others.
With a VRM solution or IRM solution with VRM/SCRM capabilities like CyberStrong, risk tiering is seen with scoring and color coding representing levels of risk.
Platforms such as CyberStrong provide environments to store a list of contracts and score risk and compliance for each contract.
A strong VRM platform such as CyberStrong will provide the flexibility to support any mandate as well as custom control sets and hybrid frameworks.
It is critical that any VRM solution you select supports your entire team. Make sure that your solution allows your organization to communicate and share information about vendor risks and remediation.
Capable VRM platforms/IRM platforms such as CyberStrong empower team collaboration with control assignment notification, due dates/scheduling, assessment owners, and team access.
A VRM solution must support the creation and maintenance of contracts and services associated with a vendor, and the ability to assess the controls and risks associated with each. Ensure that your VRM solution can provide a central location to access these - CyberStrong offers evidence attachment to allow your team easy access.
Control assessment and monitoring
Any VRM solution needs to provide the ability to assess the effectiveness of controls and carry out ongoing monitoring of vendor risks. At a minimum, a solution must support the workflow for the application's other functions, such as exception management and reporting.
Your VRM solution should provide a comprehensive dashboard to show the effectiveness of the controls you put in place as well as the compliance status of each. As you go about implementing your VRM process, ensure that your VRM platform can task out actions with notes and automated reporting to streamline your team.
Automated and instantly available SSP, POAM, and RA one-click report, Executive Risk Report, Trend Report, GDPR Report, Overview Report.
The ability to manage vendor risk exceptions in relation to control requirements, the compensating controls to mitigate risks, and periodic reviews of whether exceptions are still required.
The ability to see the IT VRM status of an earlier time, such as a past quarter or year. Make sure you establish early on in a vendor relationship when they will snapshot their status in your VRM solution and that they have the capabilities to do so.
Access and user controls
The ability to provide roles for personalized access to an IT VRM application, and to assign relationships between job roles and individuals, and risks and controls. A strong VRM solution such as CyberStrong will allow you to build teams with Admin, Manager, Collaborator access levels and permissions
The recording of action plans to identify control failures and other VRM deficiencies, and to track those plans to fulfillment. Use optimization screenshot below - an “always on” remediation plan they can report against at all times
Third-party content delivery
This includes news feeds, ownership structures, lines, safety violations and financial performance, risk-related alerts, and risk ratings. Foundationally, ensure that your solution allows you to attach documentation as a central storage location for your team.
Vendor performance management
The ability to collect performance data and assess it against expected service levels and deliverables. For example, the CyberStrong platform allows you to benchmark your current control set against a ‘Magic Cookie’ target (see graph above). The CyberStrong benchmarking also give you insight into how vendors are improving, allowing you to further optimize your VRM process and program.
Vendor profile management
The ability to import vendor and related contract (engagement) data from other systems, or to input it manually; the ability to collect and organize intelligence about vendors; the ability to manage vendor documentation and other content; and vendor self-service capabilities that enable vendors to maintain and update information themselves. Your VRM solution should allow vendors to access and manage their own profiles to an extent.
Artificial Intelligence (AI) in VRM and IRM
With artificial intelligence augmenting security teams more and more, consider exploring VRM solutions that integrate some form of artificial intelligence. The CyberStrong platform uses patented AI and machine learning to provide a live threat feed and remediation suggestions tailored to your organization organized based on impact.
With more and more peripheral competencies being outsourced by enterprises, a strong VRM solution is critical. This goes beyond regulations such as DFARS. As security becomes a selling point for organizations, the security of your network of vendors becomes all the more critical. By connecting your VRM program to empowering other business units, you more easily get buy-in from other senior leadership and ensure that the enterprise stays secure.