Be Proactive with Vendor Management — Not Reactive
If you’re a company that uses a third party for an information security-related function within your business (and with nearly 77 percent of companies using at least one, it’s likely that you are), then you’re aware of the obligation you have to protect your customers’ data as well as your own. It’s not just a good business decision — it’s quickly becoming the law. More and more U.S. states are hopping on the GDPR train, developing and quickly implementing their own consumer privacy acts and legislation.
And while privacy and security are absolutes, you still have a business to run. It can be difficult to keep up with all of the new requirements and policies being put into place, especially when you’re trying to both keep your customers happy as well as find new technology solutions that make your internal workflow easier and more efficient.
It’s because of this that many companies defer to vendor management questionnaires that have already been developed, even though they may not cover questions that are critical to their operations (or ask questions that have no connection whatsoever). Not only is this practice putting your organization in harm’s way, but it’s also putting your customers in harm’s way, too. Reviewing vendors against criteria that isn’t specific to your business doesn’t help you or give you a good understanding of the vendor.
Let’s take a look at six vendor management best practices that companies who are looking to hire third parties for technology or information security support, can use to save time and make the process more efficient overall.
Say you’re looking for Cloud-based storage. Great! This saves your company on servers and other storage solutions by outsourcing. But there are literally hundreds to choose from. Is it really worth your time to build a list and have a vendor manager send his or her questionnaire to all of them? No.
Scoping helps to define the type of vendor that you need based on the services that you’re looking for. Business leaders should be engaged in this process with the guidance of IT and information security teams. In this example, how your data is stored and is accessed matters. Understanding how a vendor does that (ahead of issuing a more detailed questionnaire) will help you know if this vendor is a good fit.
Our next vendor management best practice is simply the art of talking. The vendor management process cannot and should not be a paper trail or email chain. Meaningful conversations need to take place within your organization and with the vendors you’ve identified through the scoping process. By properly scoping prospective vendors, you’ll have a better idea of who you could be working with. From there, they should be discussed internally, with any red flags, concerns, or specific questions being determined prior to a questionnaire being issued.
Communicating internally and upfront with your vendor(s) early on in the process is important, but as you get further along, additional risks or concerns may arise that you previously weren’t aware of. Just because something unexpected arises doesn’t mean the vendor should be eliminated from the running or terminated. Collaborate with your vendor. Understand why they do things the way they do. There may be a reason. They may be required to handle information a certain way as part of their business model.
We don’t mean the technology kind of integration. We mean the people kind. If you’re in vendor management or IT, and another internal team or department needs a vendor, it will be extremely valuable to get involved as early as possible. Understand why they need a vendor. Is there another company already approved whose engagement could be expanded? If a new vendor is necessary, work with that department on what the ideal vendor looks like. Use this to refine your search (scoping) as well as your process.
Once a vendor is selected and engaged, one of the most efficient vendor management best practices you can implement is automation. This makes the process going forward for you, the department in need, and the selected vendor. What systems do you have in place to help with this? Consider the tooling you have available, and work with IT to understand capabilities. If you have a vendor management platform in place, set up the necessary steps, checks, processes, and so on within it to make your life easier.
Ultimately, the worst thing you can do is to identify a vendor, engage them, and then forget about them. Falling into this trap is far too easy. People get busy and forget to check on the work a vendor is doing — until it’s too late and something important has fallen through the cracks. What is your system for auditing like? Is the vendor able to audit themselves (and should they)? Will on-site reviews be needed? When you receive the initial questionnaire back early on in the process, is it worth following up on it later to ensure the answers are still valid and accurate based on what’s been done.
Expert Support for Expert Solutions
At MRK, we believe in partnership. Our chief information security officers work closely with your organization across multiple departments and levels to ensure vendor management best practices are being followed for the best information security results. More importantly, we help companies become more secure internally first prior to sharing or accepting data from third parties — all as part of a greater, long-term information security strategy.
Fill out the form below to learn more about our CISOs and how we can help you.