How Do I Select Which Vendors to Risk Assess?

by Gary Phipps

The worst thing you can do in the event of a cyber incident is to send every one of your third parties your full assessment. Yet, according to Forrester Research, organizations are twice as likely to perform a third-party security audit AFTER they experience a cyber incident. Obviously, a less than ideal time.

But incidents aside, how do you know which vendors to assess for cyber risk, especially when you have a thousands-- or tens of thousands-- of vendors?

I hear this question several times a week from clients and prospects that are looking for direction when tackling a vendor risk assessment project.  I wish I could provide some very prescriptive advice which could be universally applied to all situations; unfortunately, how (and when) to perform a vendor risk assessment varies based on the case. 

Starting Points for Vendor Risk Assessment Direction

When vendor risk management projects get kicked off, they fall into a few different buckets which gives us a starting point and direction. Your motivations may include:

  1. I need to implement a more efficient and sophisticated pre-contract due diligence process.
  2. I need to risk rank (triage, tier, inherent-risk assess, etc.) my existing vendor ecosystem and determine who I need to assess.

Bucket one seems simple enough.  As new vendors are onboarded through procurement, use a vendor risk assessment template to ask the right questions of the business to determine if the vendor could have any impact on your security posture and assess its control environment accordingly.

Bucket two: not so simple.  Enterprises with large vendor ecosystems already struggle with value chain master data without the additional lift of determining which vendors have access to sensitive data.  For the most part, legacy P2P applications do not provide a way to indicate what service is actually being provided by the vendor with any specificity aside from high-level categorizations and commodity codes. These systems represent the point of origin for many of these vendor tiering projects.

If we were to restate the title of this piece based on the last paragraph, it might read “How can I use my legacy P2P data to help me start tiering my vendors?” Start by locating and collecting the assets you do have.  While cybersecurity tracking has never been the intended purpose of any of your sourcing, payment applications or consolidated accounting applications, they CAN provide a starting point.

Free Resource: How to Get Started with TPCRM

Identifying Vendors to Assess

Did you know, on average, third parties spend 15,000+ hours each year completing assessment questionnaires and organizations take action on only 8% of the incoming information? That equates to a lot of time and data to process for a small percentage of actionable information.

It's also not surprising that 79% of risk professionals don't feel like they have adequate resources to effectively protect their organizations, or that 50% of organizations rate themselves as ineffective in their vendor due diligence.

So how can we get better at managing risk with the resources we have?

At first, identifying vendors that create cybersecurity exposure is an exercise of exclusion.  Assessing cyber vendors security risk can be an expensive undertaking if you cast your net too wide, so you’ll want to eliminate all vendors from your cyber vendor inventory that do not pose any threat to your data, such as office supplies, transportation, miscellaneous equipment, etc.  Commodity codes and financial accounts that are associated with your payables ledger can help you descope large chunks of your vendor inventory, i.e. direct versus indirect spend, and employee reimbursement versus administrative expenses.  Many ‘late-model’ sourcing applications will have spend-analysis functionality built in, which can make for easier research.

My suggestion?

Offer to buy lunch for your payables business analysts and tell them to bring their laptops.  They can help you get a jump start on thinning your vendor herd.  Reducing this population to those that necessitate cyber monitoring will make a seemingly insurmountable task an achievable goal.  Additionally, having this level of specificity in your project proposal will build credibility in your plan which can be useful as you head into your next budget meeting.

Related: Inherent Risk & Residual Risk...What's the Difference?

The Future of Vendor Risk Assessments

Narrowing down the vendors you want to risk assess can be a time-intensive task, but in the long run can save your company big dollars. Luckily, the vendor risk assessment process has evolved for the better. New tech advancements enable real-time decision-making that scales along with your business needs. Key advantages include:


By automating the process of data collection, IT teams don't need to spend their time chasing assessments. Instead, they've got access to the data they need, when they need it, to make decisions about new or current partners and suppliers. 

Threat Modeling

Utilizing a one-to-many approach that democratizes the use of assessment data, companies can shift from reactive to proactive threat assessments by using real-time data to create up-to-date threat models that account for shifting security conditions. Instead of pivoting to a new protective posture after attacks are underway, threat tools help organizations stay one step ahead of attackers. 

Attack Path Mapping

The more businesses know about preferred attack paths, the better equipped they are to take effective action. Given the sheer number of potential compromise pathways, understanding the likely route taken by potential threats makes it possible to shore up protection where it's needed most, and respond quickly if attackers change routes. 

TPRM Platforms

TPRM Platforms catalyze your risk ranking process. Obviously, I am biased towards the CyberGRX Exchange model, which allows you to load your vendor assessment inventory onto the Exchange, immediately showing you the likelihood each of your vendors will suffer a cyber event. You’ll be able to pinpoint risks and gaps in your security faster and more effectively.

I'm also partial to ProcessUnity's Third-Party Risk Management platform with automated workflows to accelerate vendor onboarding. Together, CyberGRX and ProcessUnity take security assessments to the next generation, bringing to market the only integrated solution for third-party and cyber-risk assessments that exponentially increases the number of assessments that can be completed and accessed for analysis, to improve your team's efficiency and give you a more comprehensive view of your risks.

To learn more about how CyberGRX and ProcessUnity can help you identify which third parties to assess and how to better manage your third-party cyber risks over time, request a demo today.

This article was originally published in August, 2018 and was updated in October, 2023 for accuracy and relevancy.