Vendor Risk Management

How To Know If You Should “Fire” a Vendor

It is usually extremely hard to fire a vendor that the business wants to work with. If you have the authority to pull that trigger, then I would advise using it sparingly. We enlist the business to help us get the assessment results back if needed, and we prefer to push them into remediation rather than firing them. VENDEFENSE makes remediation really easy, so we prefer to just build remediation plans they can work on. That way everyone is winning!

Posted by
SecurityStudio
on
Mar 11, 2019

This is an interesting dilemma,and a question I hear regularly.  It goes like this:

“We have a lot a vendors thatdon’t want to fill questionnaires out at all.  What do vendors think ofSecurityStudio?”

My answer to this is always the same...

3 or 4 years ago, when vendorrisk management programs were largely nonexistent, vendors would push back onsecurity questionnaires.  They would dodge, avoid, argue irrelevance,hide, ignore, answer cryptically, lie (in some cases, yes they do), get answerswrong, etc.  Basically everyone was trying to avoid having to fill out anyinformation about security programs.

Now that we’re a few years down the road, vendors are used to this, especially in any regulated industry or anyone that works with healthcare orgs, finance, etc.  We’re a vendor, and we expect our customers to ask us about our security. 

So at this point, if I have a vendor that doesn’t want to give up information about their security, that’s a GIANT red flag for me. 

There are only a few reasons for not being forthcoming to a customer or prospect:

  • What the vendor does is highly sensitive, and they have to protect that information from everyone, including customers.
  • The vendor is a big enough company that they don’t need to respond to prospective customers.
  • A security program isn't in place or the vendor doesn’t know how to answer the questions.

Each scenario is bad for me as a risk manager:

  • Even if you say you’re highly secure, it’s my responsibility to make sure.  So in scenario one, they would still have to have something they can provide me as evidence they know what they’re doing.  From my side, I can’t just take their word for it.  So give me something.
  • Although they’re a huge company (i.e. AWS, Microsoft, Google) they still pose a risk to us.
  • If they avoid/resist, give excuses, or want to argue about why they don’t need to provide us any information, I assume they don’t have a security program.

When deciding if you should “fire” a vendor, there are many things to consider:

  • Someone in your organization likely wants to dobusiness with this vendor.
  • It could be a significant deal for your organization.  Thatadds pressure to push them through.
  • How significant is the risk and what could happen to you if theyget breached?

There are many more factorsobviously, but the point is that it is usually extremely hard tofire a vendor that the business wants to work with.  If you have theauthority to pull that trigger, then I would advise using it sparingly. We enlist the business to help us get the assessment results back if needed,and we prefer to push them into remediation rather than firing them. SecurityStudio makes remediation really easy, so we prefer to just buildremediation plans they can work on.  That way everyone is winning!

I would only fire a vendor if all these questions get answered “yes”:

  • They simply won’t give us information.
  • They argue and avoid enough that they give me the sense that they don’t have a security program.
  • The business has alternative vendors that they can use, and they are ok with the firing.

Short of that, we opt for remediation, or if the vendor won’t cooperate at all, then we opt to have the business waiver the vendor.  That way as a risk manager I can show that I did my due diligence but that the business decided to pursue the relationship anyway.  This is more than just CYA, it’s an important part of the partnership between security and the business.  We don’t want to shut them down, we just want to manage our risk.  They have the right to accept the risk of a vendor that won’t cooperate.  (document, document, document)

The feedback we get regarding vendor willingness to use SecurityStudio has been really good.  Yes, we have definitely seen the same types of patterns (avoidance, arguing, ignoring) but that’s what SecurityStudio is built to overcome.  Automated reminders, questions written in common language, an appealing interface, etc. all contribute to a positive experience for vendors too.  So yes, they have to do something, but the feedback we’re getting is that vendors like the way SecurityStudio works for them. Make it easier for yourself and company, and schedule your demo for SecurityStudio today!

s2core


Estimate your score or book free demo today
Estimator | Get a Demo

breach
breach prevention
cyber security
cybersecurity
data breach
data protection
data security
vendor breach
vendor risk
vendor risk management
VRM

More posts

threat monitoring featured
What is Threat Monitoring?
Feb 8, 2021
vendor risk management|vendor risk management|
9 Best Practices for Successful Vendor Risk Management
Mar 1, 2021
nist compliance standards
What is NIST Compliance? A Guide To NIST Standards
Nov 2, 2021
Sign up for our newsletter

Receive monthly news and insights in your inbox. Don't miss out!

education
Industry insights
NEWS & EVENTS
Solutions
OverviewS2OrgS2VendorS2TeamS2PCIS2PartnerS2Score
Partners
OverviewMSPsMCSPsAEAsPartner Portal
industries
OverviewState and LocalCommercialK12Higher EducationCritical Infrastructure
academy
OverviewLevelsCoursesTeachSign in
LEARN
BlogVideosPodcastsEventsResourcesS2Me
company
AboutContactSupportApp Sign In
©2024 Security Studio. All Rights Reserved.
AgreementsSupport Center