Have You Been in This Spot?
It’s that moment when you or another leader are sitting at a desk or at a conference room table alongside others staring at a vendor management questionnaire and the realization hits you: this isn’t worth it.
Maybe it’s because there are 300 questions on the list (and you’re only providing networking support — not a comprehensive, fully monitored security program). Maybe it’s because the potential revenue of the new relationship isn’t enough to justify the overhead in having you and other senior leaders strategizing responses.
Whatever the reason, the situation isn’t good. You’re about to jump ship on a new source of revenue for your company. The business that issued the questionnaire is about to get passed over by one of the best tech services companies in the industry (i.e., yours). And it’s all because a new hire with six months of experience got assigned the task of drafting and distributing the vendor management questionnaire.
And That’s Just the Relationship Aspect — Let’s Zoom Out
Dealing with a frustratingly vague questionnaire is just the beginning of the many vendor management challenges facing issuing companies and third parties nowadays. Companies in the U.S. and around the world are navigating new, complex systems of regulation in addition to existing privacy policies and laws.
The arrival of the General Data Protection Regulation (GDPR) in Europe spurred other countries and even U.S. states to follow suit. California, New York, and Ohio have all introduced variations of GDPR — some less forgiving than GDPR itself — to establish similar consumer data privacy systems domestically. These new regulations and policies will require companies looking for third-party support to ask tough questions, which naturally start with vendor management questionnaires.
These regulations didn’t appear out of thin air. The growth of certain technologies and the increase in attacks that exploit their weaknesses and risks means vendor managers have to address them. There are two key reasons for this.
Breaches Are Happening More and More
In fact, they’re almost a daily news headline. Companies and even cities themselves are reporting cyber attacks involving ransomware, phishing, and more. In some cases, everything stops after these attacks. In other cases, entities see no other alternative than to pay to have their data released. To prevent themselves from becoming the next big breach, as well as to ensure those they work with from doing the same, companies are using vendor management as the first step to check for cybersecurity practices and policies. This is important to do, but it’s creating more workload on both sides.
Increased Use of and Reliance on Cloud Systems
“Buy my own servers to host data? Employ extra IT staff to monitor and update those servers? Deal with my own server issues? Why do any of that when I can pay someone else to do it all for me?” Said tens of thousands of businesses in 2018 across multiple industries that are spending millions on average for Cloud-based platforms and services. With greater reliance on someone else managing your data for you comes increased risk.
The Workload is Only Going to Get Heavier
The use of “as-a-service” models and other Cloud-based services and platforms are going to continue increasing as companies rely on more third-parties. Many are even trying to achieve a 100% Cloud-based technology environment. With the world going in this direction, and with the alarming number of cyber-attacks occurring, your vendor management challenges are only going to continue increasing.
That’s why it’s important that efforts be made both on the part of companies issuing vendor management questionnaires for security and on the third parties that respond to them. What can be done to make the vendor management process more efficient yet also clearer and more defined? What steps can be taken internally to ensure the right answers are given and verified?
If you’re an organization seeking to utilize a third-party for a Cloud-based technology service, you have to do your due diligence. This is a given. But it’s important to know what you’re looking for, why it matters, and how to ensure the selected/approved vendor is doing what they said they’ll be doing.
If you’re a company that provides services to the above, it’s important that you navigate the vendor management process efficiently as well — ensuring that the right people are involved, the right questions are being answered, that all risks are being disclosed and discussed, and so on. New relationships depend on vendor management, so making it as clear, accurate, and efficient as possible will help you win those opportunities.
At MRK, we work with companies not only for security, storage, and networking services, but we also help them strategically approach security from the start. Our chief information security officers for hire work hand-in-hand with your leadership team, vendor manager, and other team members to build a comprehensive security program that keeps all the bases covered.
Fill out the form below to learn how our expert CISOs can help you build a security-focused vendor management process as part of an overall security strategy.