Making Vendor Risk Management Part of Your Security Strategy

word cloud for words associated with vendor risk

When we think of Vendor Risk Management (VRM), there’s usually a policy or a procedure, possibly even a process to follow – and for good reason. The consistent approach that effective VRM gives you should lead to lower financial and strategic risks, increased admin efficiencies, reduced costs and quicker onboarding of suppliers.

A painful lessons this year has taught businesses is that they are only as resilient as the vendors they rely on. A promise is only as good as the ability to back it up. That promise might be to deliver a product on time, or it might be to protect data.

A vendor you work with could be Amazon, where you use their cloud platforms to store and process data. Or it could be the designer who works on your rebranding project every few years but who has VPN access to your file server so she can store digital assets.

VRM does not just mean your one-off process for choosing a supplier, it is a continual review process. Your requirements change, suppliers change their own internal processes, regulatory frameworks change. Security risks change.

Here are some reasons why VRM should be a fundamental part of your cybersecurity strategy.


Every supplier has a different relationship with you, and presents a different set of risks. Not every supplier you use needs to meet ISO27001 standards. By creating a template that includes a risk/impact assessment you can ensure that anyone in the organization choosing a vendor conforms to a set of standards appropriate to the relationship.


Many relationships with third parties are a two way street; access to services and infrastructure going both ways using APIs, logins, even physical access. Do you have a list of all of the third parties you share data and access with? Authorization and access should be reviewed regularly to reduce the possibility and impact of a data breach.


Your company’s data could be stolen, held to ransom or used against you as part of a business email compromise scam. Just as you use third parties, those you trust probably do as well. Every requirement that you place on a vendor needs to be at least matched by their own third parties (or is it fourth or fifth parties?) 


Yes compliance, because you can’t talk about risk without mentioning it. Vendors can change where and how they process your data. That can lead to you getting caught out if, for example, you process data on EU citizens and your CRM decides to process or backup their data in another region. It’s just one more thing you need to keep on top of.

Everything’s gone weird.

A vendor choice you made more than a few months ago might today not be suitable. The simple reason is that data that would normally have been processed by people sitting in their secure, certified office environments might now be accessed by people sitting in their bedrooms relying on their own home network security. Indeed, their own suppliers could have an impact on your systems, should appropriate oversight and resiliency not be baked into your remote working environment. 

In short…

Like every other aspect of cybersecurity, VRM isn’t a tick-box exercise, it’s a continuous process. Done well, it brings peace of mind. Done poorly or not at all and your company’s financial and legal responsibilities as well as its reputation may find itself in a much riskier environment than you realize. 

Ask the experts at TBG Security how to implement VRM effectively in your business.

Previous ArticleHow the pandemic changed everything and nothing Next ArticleAre Your IT Security Insides Troubling You?