I have 25k vendors. How do I know which vendors to assess for cyber risk?
I hear this question several times a week from clients and prospects that are looking for direction when tackling the vendor risk assessment project. I wish I could provide some very prescriptive advice which could be universally applied to all situations; unfortunately, how to perform vendor risk assessments varies based on the case. Having said that, when vendor risk management projects get kicked off, they fall into a few different buckets which gives us a starting point and direction:
- I need to implement a more efficient and sophisticated pre-contract due diligence process.
- I need to risk rank (triage, tier, inherent-risk assess, etc.) my existing vendor ecosystem and determine who I need to assess.
Bucket one seems simple enough. As new vendors are onboarded through procurement, use a vendor risk assessment template to ask the right questions of the business to determine if the vendor could have any impact on your security posture and assess its control environment accordingly.
Bucket two; not so simple. Enterprises with large vendor ecosystems already struggle with value chain master data without the additional lift of determining which vendors have access to sensitive data. For the most part, legacy P2P applications do not provide a way to indicate what service is actually being provided by the vendor with any specificity aside from high-level categorizations and commodity codes. These systems represent the point of origin for many of these vendor tiering projects.
If we were to restate the title of this piece based on the last paragraph, it might read “How can I use my legacy P2P data to help me start tiering my vendors”? Start by locating and collecting the assets you do have. While cybersecurity tracking has never been the intended purpose of any of your sourcing, payment applications or consolidated accounting applications, they CAN provide a starting point.
At first, identifying vendors that create cybersecurity exposure is an exercise of exclusion. Assessing cyber vendors security risk can be an expensive undertaking if you cast your net too wide, so you’ll want to eliminate all vendors from your cyber vendor inventory that do not pose any threat to your data, e.g. office supplies, transportation, some equipment, etc. Commodity codes and financial accounts that are associated with your payables ledger can help you descope large chunks of your vendor inventory, i.e. direct versus indirect spend and employee reimbursement versus administrative expenses. Many ‘late-model’ sourcing applications will have spend-analysis functionality built in, which can make for easier research.
Offer to buy lunch for your payables business analysts and tell them to bring their laptops. They can help you get a jump start on thinning your vendor herd. Reducing this population to those that necessitate cyber monitoring will make a seemingly insurmountable task an achievable goal. Additionally, having this level of specificity in your project proposal will build credibility in your plan which can be useful as you head into your next budget meeting.
Narrowing down the vendors you want to risk assess can be a time-intensive task, but in the long run can save your company big dollars. Luckily, there are market solutions available that catalyze your risk ranking process. Obviously I am biased towards CyberGRX’s modern TPCRM practice (including the Exchange) which allows you to load your vendor assessment inventory onto the Exchange, immediately showing you the likelihood each of your vendors will suffer a cyber event. You’ll be able to pinpoint risks and gaps in your security faster and more effectively.