Third-party vendors are crucial to a company’s
success, but they inherently create risk and require monitoring to ensure their
vulnerabilities don’t develop into a bigger problem like a data breach.
Responsible companies monitor their third-party risk, and many do it with a
combination of manually-updated spreadsheets.Are
spreadsheets enough to manage vendor risk?Smaller operations may be able to get by with
a basic, homegrown system. Risk managers are often familiar with their
industry’s regulatory landscape, and can monitor their vendors in a way which
works for them. They don’t have to conform to a specific set of rules or force
their risk management into rigid GRC software.The spreadsheet’s very simplicity
means they can make the process completely their own.
Many factors can be easily tracked in a
spreadsheet. Risk managers know not to classify a SaaS provider with access to
sensitive data in the same grouping as the vendor hired to clean its offices,
and will often review a vendor’s internal policies and procedures before ever
signing a contract. It’s also easy to track certifications in a spreadsheet,
identifying which vendors have external audit certifications such as SOC1 or
SOC2.However, when medium- and large-sized
companies rely on spreadsheets, they can find themselves unable to assess their
entire landscape of vendor risks across the entire company. When multiple
departments rely on spreadsheets to manage their third-party relationships, it
becomes difficult to consolidate fragmented risk data, resulting in information
silos. The resulting system becomes overwhelmingly complex, filled with
excessive redundancies in some areas and scarily little oversight in others.
Ultimately, large companies (or any company with multiple departments working
with third-party vendors) set themselves up for failure with a
spreadsheet-based system.Small and large companies alike also leave
themselves open to human error when developing a spreadsheet-based system from
the ground up. Various studies show 88 percent of all spreadsheets have significant errors,
leading to lost company revenue, increased probability of a data breach and, in
many cases, the termination of the employee who was responsible for maintaining
the spreadsheet. After all, one small typo in the spreadsheet of a large
company can cost billions, and can create losses for
smaller companies from which they may never be able to fully recover.It’s
time to get rid of the spreadsheetNo matter the size of a company’s vendor
landscape, it needs more than an accident-prone spreadsheet-based system that
prevents the sharing of information between departments. Especially when
departments are potentially dealing with the same sensitive data in different
applications or use cases, they need a holistic view of how that information is
being shared with all vendors, not just the vendors for which they are
responsible.A centralized vendor risk management system is
a must-have for enterprise-level organizations. The bird’s eye view provided by
a centralized system removes information silos and removes unnecessary
redundancies, allowing each individual within the system to address issues or
comments directly related to their area of responsibility. As a result, a
business can be more compliant, having a better overview of its entire vendor
risk landscape than what would be possible with a spreadsheet-based system.The
Benefits of a Centralized Risk Management SystemWith a centralized system in place, a company
will find itself far more capable of communicating with its vendors in a
meaningful way. Anyone in the business with access to the vendor risk
management system can take a snapshot of its entire risk landscape, better
understanding how best to communicate with specific vendors in the context of
risk management. With clarity into
vendor processes, better decision-making will result. By implementing
holistic risk management practices, companies will better track their vendor
relationships and develop safer, more effective operations.Good risk management systems allow users to
not only track vendor activities, policies, and interactions, but also enable
the company to use automated risk scoring as a way to predict how a vendor
relationship might result in a vulnerability. By placing quantifiable, accurate
scoring on vendor policies and operations, a centralized risk management system
will allow a business to stay steps ahead of vulnerabilities, enabling them to
close gaps before they ever develop into larger problems.Regardless of industry, regulatory landscapes
are rapidly changing. Unlike a spreadsheet-based system, a centralized
application can easily adjust when regulations change and vendor relationships
need new variables considered. To stay in compliance at all times, a
well-built, flexible system will provide much-needed consistency in industries
surrounded by regulatory uncertainty.For certain smaller companies, a spreadsheet
might be enough to track vendor risk. All companies, however, can better track
their vendor risk with a system built to provide clear insights, allow safe
information sharing and adjust to changing regulations. Even if a spreadsheet
is good enough, it’s never the best option. By abandoning the spreadsheet and
implementing a centralized vendor risk management system, organizations will
save time and safeguard resources.About Jon Jon is the Co-Founder and Chief Product Officer of LogicGate.
There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]
It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news