Why cybersecurity departments need a vendor management policy

Organizations have more third-parties and vendors than ever before, so much so that it’s become overwhelming for many companies. A 2021 Ponemon Sullivan report found that an average organization’s third-party inventory tallied up to over 2,300 third-parties with 50% of respondents reporting that they don’t have an inventory.

This trend is the same for cybersecurity vendors and third-parties. With digitalization, digital transformation, cloud-based vendors, and increasing reliance on third-parties and partners for major infrastructure services, this is increasing the average attack surface dramatically.

Companies, in trying to account for their increased cybersecurity risk, are seeking to procure additional tools and vendors to protect themselves. Unfortunately, this has led to another challenge. An increase in  third-parties can lead to overwhelming complexity during the procurement process as well as the management process.

Without the right vendor management policy in place, this can turn into an organizational risk that can impact your ability to mobilize your cybersecurity department and properly protect your organization.

Why lacking a vendor management policy can lead to decision paralysis

The cybersecurity vendor market is growing rapidly with various new solutions and tech coming out every year. There’s an abundance of acronyms, solutions powered by AI, machine learning-based solutions which results in a cybersecurity market that’s hard to sift through.

It’s challenging enough to parse through all the marketing and buzzwords to truly get a sense of whether a specific solution or vendor is meeting your organization’s needs, but the large number of vendors required can also have compounded negative effects due to longer procurement periods, budget negotiations, implementation and the risk that the vendor you’ve selected may not be the best fit.

This can be because the vendor isn’t suited for your industry (specifically if you need to meet certain compliance standards), your size, or your environment. A vendor may not be compatible with your network and operating system or it may be best suited for a company with on-prem servers rather than a global distributed network.

If you don’t have the right vendor management policy in place, these potential pitfalls can lead to decision paralysis and cost you precious time as you try and figure out what kind of vendors you need and what vendors are worth initiating conversations with.

More vendors can lead to more organizational/implementation risk

Very few cybersecurity solutions are plug and play. Part of the procurement process requires:

Exec approval – Has the board and executive team signed off on the need for this type of vendor and the vendor selected for consideration? You’ll have to make sure you can back up your choice and have reasons why other competitors or known vendors haven’t been considered.

Budget approval – This is always a significant conversation and depending on your budget, you may have to obtain approval for any additional funds from the finance department. Make sure you have a business and budget-conscious case for spending the money and try to take a risk management perspective, knowing a reduction in risk can lead to lower fiscal risk.

Department consensus – Your security and IT teams will be the ones working with these vendors on a day-to-day basis so make sure you’re keeping them in the loop and taking stock of their experience if they have used the vendor or tool in a previous job.

After you’ve had the necessary conversations and signed a contract with a vendor, you’ll have to start the the onboarding and implementation process where you need to work with the vendor alongside a number of teams and departments which include:

  • IT
  • Developers
  • Security department
  • Legal
  • Finance

Without the right vendor management policy that’s focused on streamlining this process without compromising on security, the process can take months in the best-case scenario or several years depending on how embedded the solution will be.

You may also be raising the risk of running into any complications where a solution is incompatible with your infrastructure. If that’s the case, you may need to find a new vendor that is compatible or you’ll have to find a workaround to move forward that may either impact effectiveness.

This is the process for choosing a single vendor. Because your organization will likely need multiple vendors, this process will only balloon in complexity without any additional policies or solutions in place.

Vendor management can become extremely cumbersome

Taking on more vendors can also lead to departmental challenges. The more vendors you have, the more time and resources you need to properly manage the vendors. This means your team, likely already stretched thin, needs to account for new tools, new points of contact, and, potentially, an entirely new platform.

This can be taxing on an already strapped department and in order to meet these new demands, you may have to increase headcount, further straining your department’s budget. Whether or not you can devote the additional resources or get more headcount approved, the risk of improper management due to lack of time and resources can lead to cybersecurity issues down the line.

Alerts and crucial communications may be missed, and without devoting what’s needed to a new tool or platform, your team may not be able to make full use of your vendor. This can significantly impede your ability to work with your vendor, a scenario that can turn nightmarish in case of a compromise or attack attempt.

Why a vendor management policy can help reduce the risk of vendor complexity

A vendor management policy can help you get ahead of these problems by having an established, department-wide process for considering, procuring, onboarding, and facilitating bringing on new vendors. This can and should include having consistent parties in conversations concerning new vendors, while also having set expectations about resource management as new vendors are being considered.

This will help you stay proactive, especially as you build out your security department’s roadmap. If you know, months ahead of time, that you’ll start the procurement process for a number of vendors, it won’t come as a surprise that you may need an appropriate increase in staff, allowing you to properly resource a vendor as you’re procuring one rather than after a contract is signed.

You can also expand your vendor management policy beyond your cybersecurity department which will help you take inventory of your vendor and third-party ecosystem. Visibility is a key asset for any cybersecurity department and policy and process is often your best bet when it comes to staying proactive.

How vendor consolidation can reduce organizational load and complexity

As you build out your vendor management policy, you may want to build in points of consideration for vendor consolidation. Even with the best laid-out plans, you may still find yourself not having the resources or budget to have your department manage several cybersecurity vendors who have been added to your environment.

As you plan out your resource management, you may want to think about when you may need to start consolidating your vendors. This means having to use fewer vendors for multiple purposes and prioritizing cybersecurity vendors or partners who provide multiple tools or solutions so there are fewer points of contact.

You may also want to consider partners who offer managed services like a managed detection and response (MDR) provider, a managed solution provider (MSP), or a managed security service provider (MSSP). These partners offer vendor management as a service, bringing their own in-house tools and solutions, or bringing in pre-vetted partners to serve your organizations, managing them, saving your department time.

Which type of partner you should consider depends on your need and current organizational make-up — but many managed service providers are happy to assess your company and tailor their services accordingly.

Learn more about how advanced attacks are transforming MSP endpoint security.

Additional Resources

MDR for MSPs Webinar

Why third-party testing is critical article