In today’s business world, companies are utilizing third-party vendors more than ever before. Naturally, these vendors have a higher level of access to internal systems (containing sensitive data and information) with hopes of increasing the efficiency of services rendered.

The 2018 Ponemon statistics show that at least 56% percent of organizations have experienced a data breach due to a vendor’s security shortcomings.

We’ve reviewed numerous research and media publications to better understand the impact third-party vendors play in companies information security. In this article, you`ll find:

  • The definition of a data breach
  • An overview of key statistics related to data breaches
  • An in-depth look at the top 7 vendor related data breaches to date

Buckle up, this is going to be an eye-opening ride!

The ever-growing reality of data breaches caused by third parties

First, it’s vital to define a data breach.

The term data breach refers to a confirmed incident, in which sensitive, confidential, or otherwise protected data has been accessed and/or disclosed to unauthorized third parties. Data breach exposures may involve personal information, intellectual property, trade secrets, and any other sensitive information.

Collaborating with third-party vendors as trusted partners, creates an increased risk of exposure to a potentially serious data breach. Surveying across diverse industries, the Ponemon Institute concluded that cybersecurity incidents related to third parties are increasing (see the figure below).

Cybersecurity Incidents are Increasing and difficult to manage

65 % of respondents say that it’s hard to manage cybersecurity risks associated with third-party vendors. Also, a significant number of respondents admit they are sharing sensitive data with third parties, while not truly knowing their security policies (see the figure below).

Perceptions about vendors security policies and procedures

The third-party data breach statistics numbers don’t lie

The issue of vendor related data breaches is in constant flux. Numerous surveys have set out to explore the impact. Let’s review some of the key findings and highlights.

  • On average, Companies allow 89 vendors to access their networks weekly. (Bomgar survey)

The survey adds that 71% of respondents are expecting their companies to become more reliant on third parties in the next two years. In turn, this leads to growing security threats to both businesses and employees.

  • The number of data breaches related to third-party vendors has increased by 22% since 2015 (PwC survey)

PwC’s inaugural Digital Trust Insights survey exposes the growing problem and emphasizes the need for building lasting trust around data.

  • 74% believe that third-party vendor selection overlooks potential key risks, with 64% saying that their organization focuses more on cost than security when outsourcing  (Bomgar survey)

The report reveals that many businesses find costs more important than security; however, the authors of the survey argue that “the cost of not taking a potential threat seriously will be far greater than the cost of preventing third-party security risks.”

The numbers don’t lie: companies are impacted daily by breaches involving third-party vendors, threatening the financial stability and reputation of companies across all industries.

While the numbers are alarming and the threat is real, there are proactive steps you can take to be defensible. Why? Read to learn more.

The top 7 vendor-related breaches in history

After carefully examining a myriad of press releases, media and research publications, we compiled a list of some of the most noteworthy data breaches related to a vendor or a third-party. Our ranking considers factors like:

  • The scope of the breach.
  • The impact of the breach on the company and/or the compromised customers.
  • The nature of exposed data (financial and medical data, for instance, is more sensitive).
  • The recency of the incident.
Equifax Breach Meme

1. Equifax

When? 2017

What was leaked? The data ofapproximately 147 million consumers. The hackers accessed sensitive information like names, social security numbers, birth dates, addresses, and in some cases, driver`s license numbers, as well as the credit card numbers of about 209,000 US consumers.

Cost: A total cost of about $1.38 billion, according to the settlement documents (page 1) as quoted by The New York Times.

Vendor breached: The open-source software Apache Struts.

What happened?

Credit monitoring company Equifax reportedly discovered the breach on July 29 but waited for more than a month to warn its shareholders. The hackers exploited a vulnerability in the open-source software Apache Struts, which is a tool used for building web applications. Equifax used Apache Struts to support its online dispute portal – the place, where the company’s customers log issues with their credit reports.

As part of the settlement, you can file a claim to be compensated for the costs of recovering from the security breach — including any costs associated with the theft of your identity and freezing and unfreezing your account– and compensation of unauthorized charges to your banking accounts. The agreement caps payouts at $20,000 per person. Information about how to file a claim is available at Equifax`s website.

2. Target

When? 2013

What was leaked? The payment accounts of about 41 million customers and the personal details of around 70 million. Resulting in an estimated 110 million affected parties.

Cost: About $236 million in total expenses and more than 140 lawsuits filed against the company.

Vendor breached: A third-party HVAC vendor.

What happened?

According to the state`s investigation, the cyber attackers managed to access Target`s computer gateway by stealing credentials from a third-party HVAC vendor. These credentials helped the hackers exploit weaknesses in the company’s system, enter the customer service database, and install malware. The attackers accessed sensitive data such as full names, emails, credit card numbers, verification codes and more, as USA Today and other media outlets reported at the time.

The retailer had to pay an initial multi-state settlement of $18.5 million to cover state-specific costs associated with their investigations of the breach. Additionally, Target agreed to pay up to $10,000 to consumers who could prove their data was compromised.

3.  Home Depot

When? 2014.

What was leaked? The incident compromised the credit card data of roughly 56 million customers, as well as separate files containing approximately 53 million email addresses. An estimated 109 million consumers were affected.

Cost: About $179 million.

Vendor breached: The attackers used a Home Depot`s third-party vendor’s login credentials to install memory scraping malware on over 7,500 self-checkout POS terminals.

What happened?

According to Home Depot`s official announcement, the hackers used the username and password of an undisclosed third-party vendor to enter the Home Depot`s environment. Then, the cybercriminals acquired elevated rights that helped them deploy unique, custom-built malware on the retail company`s systems in the US and Canada.

The Target and Home Depot incidents expose two areas of information security that retailers generally struggle with. They often times have a lack of integration between inventory and internal systems, in addition to poor vendor risk management practices. Each data breach was successfully deployed by stealing third-party vendor credentials and RAM scraping malware, according to SANS research on the subject.

4. Marriott International

When? 2018.

What was leaked? Sensitive information including credit card details, passport numbers, names, gender, and dates of birth of roughly 500 million guest accounts.

Cost: About $72 million.

Vendor breached: The Starwood guest reservation database in the USA.

What happened?

Marriott International hotel chains, the parent company of prominent hotel chains like Sheraton, W Hotels, Westin Hotels, and Le Méridien, became aware of the massive hack on September 8, 2018.

The company received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the USA. Further investigations revealed that there had been unauthorized access to the Starwood network since 2014. The unauthorized party had reportedly copied and encrypted information before taking steps to remove it. Prior to being acquired by Marriot in 2016, Starwood was a third-party vendor used for booking reservations.

“We deeply regret this incident happened,” commented Arne Sorenson, Marriott’s President and Chief Executive Officer in Marriott`s press statement, which shed light on the breach.

The company was subject to several lawsuits for failing to protect its guests` accounts.

5.  Under Armour

When? 2018

What was leaked? Around 150 million MyFitnessPal accounts compromised. The leaked data included usernames, hashed passwords, and email addresses.

Cost: Not fully clarified yet. A consumer class action lawsuit was filed against Under Armour, which might face a number of legal claims or investigations by government regulators and agencies. The company may also be required to incur additional expenses to further enhance its data security infrastructure.

Vendor breached: The MyFitnessPal app, which was acquired in 2015 for $475 million.

What happened?

The vulnerability was introduced through the diet and fitness application MyFitnessPal. The app was acquired by Under Armour three years prior to the breach. On March 25, 2018, MyFitnessPal became aware that during February of the same year an unauthorized party acquired data associated with MyFitnessPal user accounts.

Under Armour`s data breach was one of the biggest of 2018, leading to a 4% drop in the company’s shares.

6. Saks, Lord & Taylor

When? 2018

What was leaked? Credit and debit card data of more than 5 million people. Most of the stolen cards were obtained from locations in New York and New Jersey.

Cost: Not fully clarified yet.

Vendor breached: The cash register systems at the Saks and Lord & Taylor stores in North America.

What happened?

A popular group of cybercriminals known as JokerStash managed to obtain the information by implanting a software into an unsecured point of in-store sale system.

The breach was initially reported by cybersecurity firm Gemini Advisory:

“Based on the analysis of the available data, the entire network of Lord & Taylor and 83 Saks Fifth Avenue locations have been compromised.”

The potential impacts of such breaches can be devastating for the reputation of both the parent company (Hudson’s Bay Co) and its subsidiary (Saks, Lord & Taylor). To mitigate such risks, companies need to ensure their divisions have received the necessary security awareness training.

7. Managed Health Services (MHS)

When? 2018

What was leaked? The personal data ofabout 31,000 plan members. The exposed information included names, insurance ID numbers, addresses, dates of birth, dates of service, and descriptions of medical conditions.

Cost: Not fully clarified yet. Managed Health Services has offered individuals affected in both incidents 12 months of free credit monitoring services. The organization has also invested in enhancing its email security and re-training staff on mailing processes and cybersecurity risks.

Vendor breached: The LCP Transportation vendor company (first incident). The second incident is attributed to a mailing mistake.

What happened?

Managed Health Services (MHS), the organization running the Hoosier Healthwise and Hoosier Care Connect Medicaid programs, admitted that personal data of about 31,000 plan members was accessed in two separate breaches.

The first incident was associated with a phishing attack at the LCP Transportation vendor company. The LCP employees received scam emails, allowing hackers to access their email accounts. In contrast, the second attack was attributed to a mailing mistake – notification letters of a future pharmacy change were sent to the wrong recipients, according to a publication published at Becker’s Healthcare.

Meanwhile, in Singapore, the Secure Solutions Group Pte. Ltd. (SSG) vendor was responsible for exposing the personal data of 80,000 blood donors, according to Info Security Magazine. These types of breaches remind us that medical records are a major target for attackers.

Are you still with me?

Let’s face it, the breaches that we have covered here are very large scale, involving enterprise-level companies, and may seem far removed from your business, but the potential risk is real and needs to be addressed. When it comes to hackers, there is a common misconception that only large companies are a target. Companies of all sizes are exposed to potential risk daily and it goes far beyond their internal systems

As we stated earlier vendors can be a vital piece of success for companies of all shapes and sizes, but they are also inadvertently responsible for the majority of the breaches that occur today. Taking all the necessary precautions to make your company defensible might seem like a daunting task, but we are here to help.

Food for thought

What are the measures that your organization currently takes to stay protected from potential vendor risks? Share with us in the comments below.

Securitystudio has taken a common-sense approach to information security and we are here to help your business identify potential risks. Feel free to reach out if you would like to have a conversation and learn more about improving your information security program.


Estimate your score or book free demo today

This is an interesting dilemma, and a question I hear regularly.  It goes like this:

“We have a lot a vendors that don’t want to fill questionnaires out at all.  What do vendors think of SecurityStudio?”

My answer to this is always the same…

3 or 4 years ago, when vendor risk management programs were largely nonexistent, vendors would push back on security questionnaires.  They would dodge, avoid, argue irrelevance, hide, ignore, answer cryptically, lie (in some cases, yes they do), get answers wrong, etc.  Basically everyone was trying to avoid having to fill out any information about security programs.

Now that we’re a few years down the road, vendors are used to this, especially in any regulated industry or anyone that works with healthcare orgs, finance, etc.  We’re a vendor, and we expect our customers to ask us about our security. 

So at this point, if I have a vendor that doesn’t want to give up information about their security, that’s a GIANT red flag for me. 

There are only a few reasons for not being forthcoming to a customer or prospect:

  • What the vendor does is highly sensitive, and they have to protect that information from everyone, including customers.
  • The vendor is a big enough company that they don’t need to respond to prospective customers.
  • A security program isn’t in place or the vendor doesn’t know how to answer the questions.

Each scenario is bad for me as a risk manager:

  • Even if you say you’re highly secure, it’s my responsibility to make sure.  So in scenario one, they would still have to have something they can provide me as evidence they know what they’re doing.  From my side, I can’t just take their word for it.  So give me something.
  • Although they’re a huge company (i.e. AWS, Microsoft, Google) they still pose a risk to us.
  • If they avoid/resist, give excuses, or want to argue about why they don’t need to provide us any information, I assume they don’t have a security program.

When deciding if you should “fire” a vendor, there are many things to consider:

  • Someone in your organization likely wants to do business with this vendor.
  • It could be a significant deal for your organization.  That adds pressure to push them through.
  • How significant is the risk and what could happen to you if they get breached?

There are many more factors obviously, but the point is that it is usually extremely hard to fire a vendor that the business wants to work with.  If you have the authority to pull that trigger, then I would advise using it sparingly.  We enlist the business to help us get the assessment results back if needed, and we prefer to push them into remediation rather than firing them.  SecurityStudio makes remediation really easy, so we prefer to just build remediation plans they can work on.  That way everyone is winning!

I would only fire a vendor if all these questions get answered “yes”:

  • They simply won’t give us information.
  • They argue and avoid enough that they give me the sense that they don’t have a security program.
  • The business has alternative vendors that they can use, and they are ok with the firing.

Short of that, we opt for remediation, or if the vendor won’t cooperate at all, then we opt to have the business waiver the vendor.  That way as a risk manager I can show that I did my due diligence but that the business decided to pursue the relationship anyway.  This is more than just CYA, it’s an important part of the partnership between security and the business.  We don’t want to shut them down, we just want to manage our risk.  They have the right to accept the risk of a vendor that won’t cooperate.  (document, document, document)

The feedback we get regarding vendor willingness to use SecurityStudio has been really good.  Yes, we have definitely seen the same types of patterns (avoidance, arguing, ignoring) but that’s what SecurityStudio is built to overcome.  Automated reminders, questions written in common language, an appealing interface, etc. all contribute to a positive experience for vendors too.  So yes, they have to do something, but the feedback we’re getting is that vendors like the way SecurityStudio works for them. Make it easier for yourself and company, and schedule your demo for SecurityStudio today!


Estimate your score or book free demo today

Within a busy organization, vendor risk management (VRM) can feel like an ideal concept, but can also seem far out of reach.  Armed with a vendor risk management checklist and VRM software, like SecurityStudio, and establishing a vendor risk management program is well within grasp and can take less time, energy, and resources than expected.  The first step to creating a VRM program is to develop a plan.

1. Develop a Plan

The first step in creating a VRM program is to create a plan.  Simple enough, especially with a VRM software program like SecurityStudio.  The great thing about using a program like SecurityStudio is that the vendor risk management workflow is already built in along with most communication.  Everything is centrally located in the program, and vendors move from one phase to the next with everything in plain view.  Most quality VRM programs include a classification phase, and then vendors are typically assessed followed by a treatment plan.  Then there’s steps to repeat the process.  With a plan like this the risk manager (administrator) will need to surround themselves with a quality team to execute the plan.

2. Assemble your Team

As with any vendor risk management program, the risk manager will want a group of professionals to help with inventorying vendors and classifying them.  Talking to your team members and making sure that everyone is onboard will help with participation, and most importantly that they are given context as to how important information security and this particular vendor risk management checklist are to the organization. Team members can lose focus as to how important their role is partly due to the tedious nature of tracking down information.  Putting a date on task also helps with motivating people with completing them.

3. Determine a Timeline

Putting a timeline on tasks for both the team members and vendors helps with moving the process along.  If there’s not a timeline, then it’s easy for the vendor risk management program to be put to the side.  Software programs, such as SecurityStudio, have built-in timelines, but the due dates and timelines can be customized if needed. 

4. Inventory of Vendors

Taking inventory of the organization’s vendors is a key step in becoming defensible.  Whether the organization is using a software program or a spreadsheet, there needs to be a list of vendors that can pose a possible risk in order to be defensible.  This would seem like common sense, but in a lot of situations where organizations don’t utilize a vendor risk management software program, there are incomplete, inaccurate, or outdated spreadsheets floating around in employees’ inboxes.  This alone could make a case for software program like SecurityStudio, where all vendors are located in one centralized location. 

5. Designating a Relationship Owner

The security analyst, risk manager, administrator of the program, or whoever is assigned these responsibilities (usually the same person) is not necessarily the right person who would have access to contact information or would have direct vendor information to accurately answer classification questions.  Generally, the person who works directly with the vendor will be able to answer the questions most accurately.  Of course, this can vary between organizations.

6. Categorizing/Classifying Vendors

Classifying and Categorizing vendors is arguably the most important stage of any VRM program.  VRM programs will measure the risk of each vendor, and with software programs like SecurityStudio, this is done efficiently and objectively.  The decisions made at this stage will set the tone and precedence for all future stages.  In short, if you’re going to get one stage right, this is the one.  An assessment is sent based on this classification.

7. Assess your Vendors

After the classification stage, an assessment is sent based on the results.  This is especially true for vendor software programs like SecurityStudio.  Assessments vary in length and scope based on classification, but it’s best practice to have binary answers to assessment questions of either true, false, or N/A.  If a vendor does have a conditional answer they will be able to explain the answer in another stage (usually during remediation).  Having binary answers to assessments will create a stronger, more objective, assessment. 

8. Establish your Threshold

As vendors start completing assessments, it becomes time to establish best practices if the organization hasn’t already done so.  For whatever method your organization chooses to assess vendors, there should be a minimum threshold as to how much risk the organization wants to take on.  In SecurityStudio, where the scoring is based on a scale similar to a credit score, the program has a recommended threshold, but organizations are able to set their own threshold based on objective results.  Whichever method is chosen, it’s best practice to apply the same standards for all vendors or vendors within a set industry. 

9. Choosing a Treatment Plan

Once the assessment results come back, then it’s up to the organization to determine what to do with the results.  At times it’s a matter of just approving the results, but if the results are not as favorable as expected, then an organization should have a plan in place.  This is another sample of a situation where best practices should be established. If a vendor is far too risky to work with, or if the organization wants to give the vendor a chance to improve their results, there should be clear plan.  In programs, such as SecurityStudio, it’s relatively easy to look back on assessment results, and then choose a plan based on them. 

10. Objectively Repeat the Process

Vendor risk management is a never-ending process, and the VRM program needs to be repeatable in order to be effective at all.  Business relationships change and morph over time, so it would only make sense that the VRM program should adjust to these changes.  Not only would business relationships change over time, but VRM practices will update with time.  Updating the VRM program as new threats present themselves is just as important.  With programs like SecurityStudio, the changes in security practices and updates will be automatic and seamless.

This is what happened in the infamous case of Target Data Breach in 2013 and the vendor risk management checklist is something that might have prevented it.

If you want an easy-to-use automated workflow that evaluates all third-party vendors and brings your weakest links to the surface, schedule a demo with us today!


Estimate your score or book free demo today

What is NIST CSF?

NIST CSF is voluntary guidance based on existing standards, guidelines, and practices to help organizations better manage and reduce information security risk. Another benefit is an increased level of communication around information security with both internal and external organizational stakeholders. The National Institute of Standards and Technology (NIST) developed the Cybersecurity Framework (CSF) because of Presidential Executive Order 13636, which was signed in 2013. 

NIST CSF 1.0 vs. NIST 1.1

The first version of the NIST CSF has served us well since its adoption in 2014.  5 years have passed, and the threat landscape has not been stagnant.  Because of this a new version, v1.1, was adopted in 2018.  Much of the framework still resembles the original v1.0 framework with changes to language that more clearly states the control(s) intent. 

There are some additional categories added to v1.1 that are a result of the current emerging threats facing many organizations.  Supply Chain Risk Management ID.SC (Vendor Risk Management) is an area that certainly deserves to be formally addressed by the new framework.

There are 5 sub-categories that fall under ID.SC.  Let’s dig a little into each category and look at what this means from a practical standpoint.

Supply Chain Risk Management (ID.SC)

“The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has established and implemented the processes to identify, assess and manage supply chain risks.”

Translation – Your organization formally addresses the risks associated with using 3rd party vendors to support your business initiatives.  The process is formal and has structure to ensure you evaluate all vendors, not just the ones you feel are important.

ID.SC Subsection NIST Language Explained
ID.SC-1 Cyber supply chain risk management processes are
identified, established, assessed, managed, and agreed toby organizational stakeholders
Executive management requires that Vendor Risk
Management processes be established. They support thiswith resources (money and staff) needed to properly
manage. They communicate this requirement through
governance (policies).
ID.SC-2 Suppliers and third-party partners of information
systems, components, and services are identified,
prioritized, and assessed using a cyber supply chain risk
assessment process
Every vendor has been identified and classified (based
on potential risk to you) regardless of the goods\services
supplied.  They should be evaluated with the same
criteria initially with more scrutiny applied based on risk levels introduced.
ID.SC-3 Contracts with suppliers and third-party partners are
used to implement appropriate measures designed to
meet the objectives of an organization’s cybersecurity
program and Cyber Supply Chain Risk Management Plan.
You can use contracts to ensure 3rd party suppliers meet your information security requirements which might be more stringent than their own internal requirements.
ID.SC-4 Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations
to confirm they are meeting their contractual obligations.
In ID.SC-2 above, you initially evaluate 3rd party vendors and assign a risk level.  That process should be repeated on a regular (annual) basis. You can focus on the higher risk vendors but you need to consider ALL vendors, even the low-risk ones.
ID.SC-5 Response and recovery planning and testing are
conducted with suppliers and third-party providers
High-risk vendors, ones that could cause grave harm to
your organization, should be tested for response and
recovery assurances. You don’t want their lack of
planning and preparedness to negatively affect your

OK, Now what?

Once you determine that you will follow these sound information security principals, you will need a way to do so.  Traditionally, questionnaire forms and spreadsheets were used to track vendor risk. Because of the explosion of 3rd party vendor use, this process is no longer a viable solution.

SecurityStudio allows you to address the new NIST cybersecurity framework – Supply Chain Risk Management (ID.SC) guidelines.  The once cumbersome process is greatly simplified, efficient and thorough, which puts you in a defensible position.

If you need help, contact us! If you would like a SecurityStudio demo, schedule a demo today!


Estimate your score or book free demo today

Part of any vendor risk management program involves putting together a list of vendors.  Sometimes this information can be scattered across an organization, and it takes some real wrangling to collect it all.  This is why software programs like SecurityStudio are convenient- because they help create a centralized list of vendors that are easy to update as necessary.  Here are key places to look for your full list of vendors:

1. Accounts Payable Specialist

The Accounts Payable Specialist is the first place that most people look for vendors.  This is probably the most practical place to look, primarily because most companies have to stay on top of their bills.  The Accounts Payable Specialist will have all the company invoices, and in most instances have the most comprehensive list of vendors. 

2. Internal Bookkeeping Software

Sometimes if the company is small enough, all the company debits and credits are collected in a software program and updated by either an accountant or someone who assumes this role.  Usually, this type of program is managed by an Accounts Payable Specialist, but this isn’t always the case in all circumstances.

3. Department Heads

Occasionally, not all vendors will provide an invoice.  What about that free software that employees install on their computers?  This is still considered a vendor and poses a risk.  The department head would know the day to day tasks of their employees and would have a better idea as to what’s installed on their computers and other contact with vendors.

4. Tax Forms

Maintaining a current list of vendors is imperative to any vendor risk management program, but keeping a historical list of vendors is ideal.  Even though the company may not have business transactions with a previous vendor, there’s a good chance that information is kept on file with the vendor and still poses a risk.  Chances are good that this information will be stored on tax forms, so this is an ideal place to look for historical vendor information.

5. Bank Statements

Bank statements are a snapshot of invoices paid and is an excellent source to look up vendors.  The information may not be complete, but it’s still a way to locate vendors that may be flying under the radar. 

6. Credit Card Statements

While not all vendors are going to be included on a credit card statement or even be paid via credit card, it’s still a good place to look for one of those one-off vendors that aren’t necessarily used very often, but still poses a risk. 

If you want an easy-to-use automated workflow that evaluates all third-party vendors and brings your weakest links to the surface, schedule a demo with us today!


Estimate your score or book free demo today

First, let’s start with the question, “why do I need to manage all vendors?”

We get asked this question all the time.  If you have a vendor risk management program, then it’s likely you aren’t managing all your vendors (just the high-risk ones, or even a subset of those).  The logic of focusing on the vendors that really matter seems rational, but here are some potential issues that arise with it:

  • How are you deciding which ones to manage?
  • Are you accounting for all the ways your vendors can impact you? 
  • Are you just managing the handful of vendors that you directly share confidential data with?
  • Is there a specific trigger you use to pick vendors to manage?  (sharing PHI for example)

From both a vendor risk and a defensibility standpoint, all those methods fall short.  If you are using a manual process to manage VRM, this may be all you can accomplish given resource constraints and other priorities.

But, what happens if a breach happens within a different vendor that has access to information but hasn’t hit your radar?  Or, what happens if the relationship with a vendor changes but you don’t know it changed? 

There are many reasons to manage all vendors consistently.  Here are a few:

  1. You are accounting for more risk.
  2. You can catch relationship changes and act accordingly.
  3. You can show that you have a consistent process.

All the above reasons make you more defensible should something bad happen.  And let’s be honest, you have hundreds of vendors- some of them have been breached, and some of them may be actively breached right now.

SecurityStudio makes it really easy to manage all vendors, as any good software should.  Something that is basically impossible to do with a manual/spreadsheet process can be made very simple with a decent software solution.

Let’s make sure we clarify that I’m NOT saying all vendors go through the same end-to-end process.  I’m saying account for them all, and once they are classified let their classification bucket (low, medium, or high risk) determine their path.

So where do you get the full list?  Finance is the best place.  You should be able to request a list of every vendor you have paid in the last 6 or 12 months from finance. This can be a large list.  In our experience, 75% of those vendors will be low risk, which is ok. With SecurityStudio, each low risk vendor can be processed in 2 minutes per year.

So enlist finance to help.  They can export a csv or xls file.  Any good software, including SecurityStudio, should be able to import your vendor list.  In this way, you can go from your current process to a mature VRM program basically overnight.

To get your easy-to-use automated workflow that evaluates all third-party vendors and brings your weakest links to the surface, schedule a demo with us today!


Estimate your score or book free demo today

Got a vendor risk management strategy defined? Need help? You’re not alone.


People are not inherently good at defining strategies. This is a problem. The problem is worse when considering information security strategy, and more worse when considering vendor (and third-party) security risk management strategy. These assertions come from observations made over more than 25 years, working with a wide variety of organizations.

If you engage in vendor risk management activities, you should have a strategy defined. If you don’t have a strategy, then you’re going to be less effective in achieving anything meaningful to the organization.

This article is dedicated to helping you define an effective vendor security risk management strategy. An effective strategy will help you achieve your organization’s goals with measurable results.

Rule of Thumb: The larger the effort, the more important the strategy. In terms of vendor risk management:

  • More vendors = more important.
  • More people involved in vendor management = more important.

Now, let’s define a basic strategy together.

Start with why.

Strategies start with why. If yours doesn’t, it’s probably not a good strategy.

Another word for why is purpose. I prefer why because it seems that people can relate to it better. I think this is because they can keep asking themselves why for every piece, part, and process in whatever it is we’re trying accomplish.

Simple question. Why are you doing, or thinking about doing, vendor security risk management? If you don’t know the answer to this, then you have no “why”.  If you struggle with your “why”, look at some of these common ones, and consider them when developing yours:

  • We want to manage vendor security risk well.
  • We have to do it because our regulator told us we had to.
  • We want to be defensible, meaning to be able to defend ourselves in court when/if a vendor-related breach occurs.
  • Everybody else is doing it, so we should do it too.
  • We suffered from a vendor-related security breach in the past, and we don’t want it to happen again.

I’ll tell you our why, where I work. We believe that managing risk is core to the definition of information security. We can’t manage information security without managing risk. Vendors pose a risk to the security of our information, so managing risk must include vendors; therefore, vendor security risk management is core to our security program.

There it is; we do vendor security risk management because we believe that it is core to our security program.

You can have more than one why, and I actually encourage it. The more you have, the more focus it can bring. Now, document your why. Document it so you don’t forget it, so you can share it with others, and so you can make sure other parts of your strategy align with it.

Set goals.

Our goals are set by what we define as success.

Goals must be…

  • Measurable.
  • Associated with some function of time (timeline, timeframe, deadline, etc.).
  • Aligned with our why.

Think of the ways you can set measurable goals on a timeline that enables your why to be adequately supported. Your why may be different than ours, but I’ll use us as an example again. We’ll use SecurityStudio in our example. Not only do we sell SecurityStudio , but we certainly use it too!

Our Why:

We believe that vendor security risk management is core to our security program


To support our vendor security risk management efforts, we have defined the following goals:

  • 100% of all vendors will be inventoried in a central repository by 3/1/2019.
  • 100% of all vendors will be classified according to inherent risk (sometimes called “impact”) by 6/1/2019.
  • All high and medium impact vendors will be assessed for residual risk by 1/1/2020.
  • Every vendor will be re-classified on an annual basis by the 1st of each year.
  • All high impact vendors will have a S2SCORE of 660 or higher by 6/1/2020, any exceptions must be formally approved by the business unit Vice President.
  • All medium impact vendors will have a S2SCORE of 660 or higher by 6/1/2020, any exceptions must be formally approved by the business unit Vice President.
  • At no time will a vendor S2SCORE of 600 or less be accepted by the organization.

Define how.

Now this is where the rubber meets the road. A strategy is worthless if it can’t be enacted or executed against. How will we accomplish our goals? In order to achieve the goals that we’ve set, we’re probably going to need something, or maybe a lot of somethings.

Obviously, one of things that we leverage is SecurityStudio. If you don’t use SecurityStudio, you can either choose to use it, or you’ll need to find something else. If you’re unsure of SecurityStudio and/or how to implement it, schedule a demo with us today. Whatever you use, it must allow you to accomplish all of your goals. SecurityStudio is one thing, but you’re going to need more. You’ll also need (at a minimum):

  • A policy. See our previous article about developing and using a vendor security risk management policy (/blog/vendor-risk-management-policy/). There’s even a free policy template there.
  • Personnel (or time). Somebody will need to do the work. SecurityStudio takes all of the dirty-work out of way, but there still needs to be some involvement. We have a vendor risk management ROI calculator if you’re interested in how much time and money is saved when you use SecurityStudio versus manual processes.
  • Training. The people who will be involved with vendor risk management are going to require some training. SecurityStudio is simple to use, but it’s still good to do some brief training anyway.
  • Procedures. Step-by-step guidance will ensure that the same thing is done every time. This gives us the ability to tweak things and make things more efficient.
  • Budget. Everything costs money nowadays, hard and soft dollars.

That does it for the how. Now combine the high-level how information into your strategy, and give everything a sanity check. Does everything fit, or do you need to adjust? I’ve gone through this same exercise with large companies, and it’s not uncommon to revisit all, or part of the strategy many times before you nail it.

Good luck! If you need help, contact us!


Estimate your score or book free demo today

The experts spend a lot of time describing how an organization should be doing Vendor Risk Management (VRM) but they tend to overlook a critical factor – mainly, who should be doing VRM within organizations. The push for information security VRM is relatively new, and as a result, responsible parties are ill-defined with the role of Vendor Risk Manager not formalized in many organizations. The mix of personnel overseeing VRM programs is truly varied, ranging from security analysts, IT directors, compliance departments, CISOs, etc.

It’s a mistake to think that a single person or a team of people should be solely responsible for VRM. This approach is neither reasonable nor particularly helpful. Instead, a logical distribution of risk management responsibilities should reflect who has ownership of certain key information about the vendor. Through the VRM process – inventory, classify, assessment, remediation – different risk management roles should step forward to propel the process forward.

We’ll start with a role that is not actively involved in evaluation vendors. Rather, they provide the framework that allows for other players to complete their responsibilities.


A VRM program can be stymied without the buy-in and support of the upper management. The initiative needs to be backed by a policy that gives the Supplier Risk Manager authority to:

  1. set out an internal protocol for onboarding new vendors and evaluating current vendors;
  2. terminate vendors who do not comply or do not meet the acceptable risk criteria. Business requirements will always push back against VRM practices, but executive support can enforce consequences for non-compliance.

Executive leadership also has motivation for doing so, as executives will have to answer to customers and/or the board if an adverse event happens as a result of poor VRM.

What does a vendor risk manager do?

Risk Manager is the person or team of people who oversees the organization’s VRM program. They are given oversight over vendor risk because they have the expertise that allows them to make judgment calls on what constitutes an acceptable amount of vendor risk. They should also have the authority to take steps to mitigate risk. Over time, they need to curate the vendor population, looking to maximize the opportunity vendors represent, while minimizing the risk they introduce. Risk Managers need to have a high-level view that they can easily communicate to senior-level management. Their time and expertise must be allocated smartly.

risk management 1

Who should take the role of relationship owner?

The undeniable truth is that VRM requires a lot of information gathering. The best bet for accurate and up-to-date information is to make use of Relationship Owners. During the inventory stage, each vendor should be assigned to an internal person who has knowledge of the vendor’s scope of service. By default, the Relationship Owner is the person who engaged the vendor’s services or the person who approves the invoice. Relationship Owners are important because they can supply basics about the vendor that would otherwise have to be gathered by the Risk Manager. This can include clerical information (industry, services, address) as well as knowledge of the access level the vendor has to certain types of information.

Relying on a Relationship Owner to annually update this information keeps the vendor relationship in focus over the passage of time. This periodic information capture tamps down on out-of-control spreadsheets that would otherwise require massive manual updates. Additionally, it forces employees across the organization to take literal “ownership” for the vendors they work with. Information security should never be the sole purview of the Risk Management team as it is the whole organization that will be hurt and held responsible in the case of an adverse event.


While not an internal VRM player, vendors are worth mentioning here because so often Risk Managers act apologetically in asking vendors to participate in their own evaluation. Larger organizations do tend to be better at this than smaller ones. The role of the vendor is to complete the assessment sent to them as promptly as is reasonable. If the vendor is determined to have high risk potential, then they need to undergo assessment to determine if they are protecting the information entrusted to them. Asking for them to answer an assessment should be treated like any run-of-the-mill business task such as filling out an NDA, signing a contract, etc.

So far, we’ve only reviewed roles that have an active part in evaluating vendors. A VRM tool is worth mentioning as it can greatly alleviate the workload of the Risk Manager.


There is no way to avoid adopting some sort of organizing structure when conducting VRM. For this reason, it’s worth investing in a tool that will remove manual aspects and ensure scalability over time. Look for a tool that can play the gopher role, facilitating communications, sending to-dos and automatic reminders, and tracking progress. Even better, some tools process submitted responses and produce a risk score based on built-in logic. The work put in to learn the tool’s logic or develop the scoring yourself, is an investment that will return a hundredfold. Having a standardized risk score eliminates the need for Risk Managers to review assessment responses and other collected documentation. In addition, the risk score can be used to make comparison and measure growth over time.

Below is a list of actions that a good VRM tool should be able to handle:

  • Keep dynamic inventory
  • Send tasks and automatic reminders
  • Facilitate all communications
  • Prohibit vendors from submitting partial answers
  • Use systemically applied scoring and logic
  • Keep audit and logs
  • Store all documents and results
  • Offer dashboard and reporting capabilities

Information security VRM is ramping up in intensity and one way to get a handle on it is to take the time to divvy up the vendor management responsibilities to the right person. Not only is information more accurate when gathered from the source, but it results in the organization overall having more awareness of the importance of vendor risk. This awareness should extend from the relationship owners who engage vendors daily to the executive-level leadership. With everyone aligned towards the same goal, Risk Managers are both empowered and better equipped to meet their VRM objectives.

If you want an easy-to-use automated workflow that evaluates all third-party vendors and brings your weakest links to the surface, schedule a demo with us today!


Estimate your score or book free demo today

 It’s easy for an organization to get caught up in establishing policies, workflows, and procedures for vendor risk management. Without context as to why these policies are important and stressing this to your team, many will lose sight of the primary goal of vendor risk management – to put the organization in a defensible position.  An organization owes it to their customers.  The goal of vendor risk management is to position the organization in a defensible position by taking inventory of all vendors, measuring how much of a risk each vendor poses, assessing each vendor objectively, and then systematically repeating this process.  That’s a hefty goal, so let’s break it down.  

Inventory – Taking inventory of all vendors

The first step to mitigating risk is to take inventory of all vendors.  This list includes everything from the organization’s HVAC technician, cleaning service, insurance broker, and even the free online software provider.  These are all considered vendors, and while not all of them have the same access to sensitive information, many vendors will have some access to the organization’s information either physically or otherwise.  The goal of taking inventory of your vendors is to make sure that all the vendors within an organization is accounted for.  Quite simply, you don’t know, what you don’t know.

Classify – Measuring how much of a risk each vendor poses

Not all vendors will have access to the same amount of information, but it’s important to sort your vendors into buckets.  Using the same classification method puts all your vendors into perspective, and puts the organization in a defensible position.  The HVAC technician won’t necessarily have the same impact as an insurance broker that has access to sensitive information.  However, both vendors pose a risk – SecurityStudio has three impact levels – high, medium, and low.  By classifying vendors objectively, the right course of action can be taken to assess them appropriately. 

Assess – Assess each vendor so that the appropriate action can be taken

The goal of the assessment process is to make sure that the right questions are being asked, and that the same questions are being asked of all vendors within the same bucket.  This again will put the organization in a more defensible position. The goal of the assessment process is to be as objective as possible and to complete due diligence.  It’s important to ask these questions now, so that in the case of an adverse event, the organization is still defensible.  Tools, like SecurityStudio, makes it easy.  SecurityStudio offers a comprehensive list of questions, and the program tags who answers the questions and timestamps when the questions are answered.  The ultimate goal of the assessment is to have an objective overview of the vendor’s security posture so that the organization is able to make an informed decision to either go into business or continue doing business with the vendor.  Once the results of the assessment are given, then it’s a matter of replicating the process on a regular timely basis, or as the business relationship changes. 

Now that the goal is broken down, it puts things in perspective.  Yes, organizations are pressured to develop a vendor risk management program by regulatory laws, but it’s more than that.  It’s just the right thing to do.  Organizations owe it to customers to make sure that the information they provide is secure by mitigating risk the best they can and putting themselves in a defensible position.  This is the primary goal of vendor risk management.

To put your goals to action and get an easy-to-use automated workflow that evaluates all third-party vendors and brings your weakest links to the surface, schedule a demo with us today!

Vendor Risk Management Goals

Estimate your score or book free demo today