manage vendor risk

Systematically measure and manage vendor risk

In March this year, the company at the center of a storm of publicity made a startling announcement.

OpenAI CEO Sam Altman revealed that some users of the incredibly popular artificial intelligence (AI) tool ChatGPT had their conversation history partially leaked to others. Due to a security flaw in a third-party library OpenAI itself was using, a small percentage of those using the app could see the titles of each others’ prompts.

While OpenAI quickly disclosed and fixed the problem, it reveals an important point. The digital relationships between enterprises are complex and tightly interconnected. A mishap at one company can quickly cascade downstream to its customers.

That’s why organizations should measure and manage their vendor cybersecurity risk in a systematic and consistent manner. While companies with which you have a business relationship represent only part of your software supply chain, they often have direct access to your most sensitive data. Ensuring they are good stewards of it is vital to managing your risk.

In this post we’ll go through a high level overview of how you might think about the risk these organizations pose.

Step 1: Surveying the landscape

Asset management is a foundational part of any security program. And depending on how you think about the discipline, you might include your vendors as part of your analysis. In any case, creating and updating an inventory of all the third parties with whom you do business is an important first step.

If you are just beginning your vendor risk management process, working with your finance team to build a list of everyone to whom your company pays invoices is a potential first step. However you get the information, though, you will need a list of every business entity with which you work.

Attempting to manage this process via email and spreadsheets is incredibly time consuming, brittle, and prone to failure. So you will almost certainly need some kind of centralized platform for recording the results of your survey and, more importantly, storing your follow-on analysis.

And before proceeding, it will help to develop a framework that assesses the impact and likelihood of potential attacks, preferably in quantitative terms. At a minimum, this should allow for comparisons and tradeoffs between different situations and options. The Factor Analysis of Information Risk (FAIR) is the gold standard, but qualitative ratings may need to suffice.

Step 2: Analyzing a vendor’s impact

Now that you have a way of understanding who might potentially have access to your data, you can determine how much damage they might cause if breached or taken offline.

On the trivial end, you can probably worry less if you are buying office furniture from a vendor and use an intermediary to exchange payment information. Conversely, think hard about the potentially catastrophic implications of losing access to the cloud service provider that your Software-as-a-Service product is built on.

With this in mind, you can allocate time and resources to analyze the likelihood of adverse events based on their potential impact. To streamline the process, you might consider developing different categories of impact level and calibrating the depth of your due diligence appropriately.

As you progress through your evaluation, you will likely need to revise your understanding of the potential impact of and your relationships with third parties. You may discover new relationships or revise the estimated impact of known ones along the way.

And even if you are happy with your estimate at one point in time, having a plan to continually revise and re-assess your analysis is critical. This is where having a purpose-built tool will save you huge amounts of time and headache.

Step 3: Evaluating likelihood of an incident 

After inventorying your third-party relationships and assessing their potential impact, your next task is to identify the probability of events that might lead to losses. Because of the work you did in step 2, you might not even worry about examining vendors in the lowest impact categories. For those who are central to your business operations, however, you will likely want to go into depth.

To better understand the likelihood of a vendor impacting your data confidentiality, integrity, or availability, there are a variety of tools you can deploy. They require varying levels of sophistication, effort, and money to use properly, so deploy them in proportion to the risk posed by a given vendor. These methods include:

  • Security questionnaires. Perhaps the most common method of vendor risk measurement, they are unfortunately the least effective due to the difficulty of interpreting results and ensuring their accuracy. If you are going to employ them, ensure you have a systematic method for tracking and following up on vendor responses.
  • Contractual terms. Some companies like Dropbox have ditched questionnaires entirely and simply write security requirements into their purchasing contracts. Obviously such a big company will have the leverage to do what others might not, but Dropbox sees this approach as saving time and allowing it to focus more on what actually matters from a security perspective.
  • External certifications and attestations. Security audits such as SOC 2 and ISO 27001 are often seen as the “gold standard” and many customers use the presence or absence of the relevant document to choose between vendors. Especially with SOC 2, however, what an audit means about a given company can vary greatly. Ensure you at least review the attestation provided and think hard about which trust services criteria and what scope are important from your security perspective.
  • Security ratings. A more quantitative approach involves using a specialty vendor such as BitSight or SecurityScorecard to provide you with a rating about the relative security of the company with which you are considering doing business. While some of these vendors assert their scores do correlate with real-world cyber incidents, it is probably best to incorporate supporting methods of analysis.
  • Technical due diligence. The most in-depth option to measure vendor risk is to do so directly or through a contracted party, such as a penetration testing firm. Whether using automated scanning tools to evaluate a vendor’s code or using human pen testers to look for security gaps in its network, this type of review is generally the most effective but also the most costly method.


Managing digital supply chains can be challenging for even the most mature enterprises. Considering that even small companies may engage with dozens or hundreds of vendors, the task can seem overwhelming.

That’s why having a rigorous and systematic approach to measuring vendor risk is so important. By focusing your limited resources on the biggest threats to your business operations, you can keep focused on identifying – and addressing – the most pressing problems.

If you would like to see how the Scrut platform can help you take this type of systematic approach to vendor risk management, then please reach out today!

Stay up to date

Get the latest content and updates in information security and compliance delivered to straight to your inbox.

Book Your Free Consultation Call

Stay up to date

Get the latest content and updates in information security and compliance delivered to straight to your inbox.

Book Your Free Consultation Call

Related Posts

We are entering the Spring of 2024 with fresh new capital – […]

Hey there, savvy marketers! We are here to guide you through the […]

On March 2, 2023, the Biden administration announced the National Cybersecurity Strategy […]

Reciprocity is an enterprise risk management tool – but the in-built GRC […]

In March this year, the company at the center of a storm[...]

In March this year, the company at the center of a storm[...]

See Scrut in action!