VENDOR RISK ASSESSMENT SERVICES vs. SOFTW ARE

Critical Considerations When Choosing Which Is Right For Your Organization

VENDOR RISK ASSESSMENT SERVICES vs. SOFTWARE

VERSPRITE | Vendor Risk Assessments

© 2021 VerSprite, LLC. All rights reserved. VerSprite is an industry leader in risk-based security services and automation, and has pioneered the PASTA threat modeling methodoloy. VerSprite offers a strategic partnership to companies looking to evolve their security posture beyond compliance standards.

Organizations outsource various business functions, including payroll services, cloud storage, billing departments, and more, resulting in unsecure access points if not properly onboarded and vetted. Third-party breaches are among the most common data breaches, resulting in 63% of all enterprise breaches. Performing vendor risk assessments that consider external factors adds value to an consider external factors adds value to an organization’s business risk management process, reducing your external attack surface and improving enterprise security posture.



Vendor Risk Assessment Services vs. Software


Single Vendor Matrix of Risk:Example From A Custom VRA Service

01

When choosing a vendor risk management solution for your organization, security leaders should consider the pros and cons of using third-party risk management software versus vendor risk assessment services to understand what is better for their organization. In this eBook we will review a set of seven critical elements to take into consideration and compare to see how each stack up and why and compare to see how each stack up and why custom vendor risk assessments services should be your first choice when managing third-party vendors. The seven points to consider include coverage, speed, risk relevance, integration, cost, framework, and compliance.




02

Vendor Risk Assessment vs. Software ChecklistVendor Risk Assessment vs. Software ChecklistVendor Risk Assessment vs. Software Checklist

VERSPRITE | Vendor Risk Assessments03

Coverage What percentage of your client vendor roster is covered?

Speed How fast does the vendor assessment cycle take?

Risk Relevance How relevant arethe risks to your organization?

Integration Can the assessments be integrated for faster remediation?

Cost What are your net costs after initial outlay, time investments, and resources?

Framework How much of the assessment relies on frameworks?

Compliance Does it cover regultory requirements?

Already using vendor risk assessments inside your business risk management plan? Use this checklist to checklist to ensure you are getting the most out of your software or partner.

When assessing vendors’ risk, it’s critical to make sure the data about each vendor is current; thoroughly researched, extending to your vendors’ vendors; and accurate. Although vendor risk software may have a head start on collecting information with pre-populated vendor data, the included number of relevant vendors and updated data is unclear. For products to have an advantage in coverage, the products to have an advantage in coverage, the product would need to include information about the vendors relevant to your organization.

We evaluated several vendor risk softwares and could not find published information or get clear answers from the sales teams on the average number of pre-populated vendors. Getting clear answers on how many included vendors are relevant to your organization would be even more difficult.

It was also unclear about the quality of these existing It was also unclear about the quality of these existing vendor risk assessments (VRAs) or their respective depth of analysis. The quality of pre-populated vendor data is largely determined by the recency and relevance of the vendor data. In the abstract, if the pre-populated data is old, it will not provide your organization an accurate picture of the risks associated with that vendor. More concerning, if you associated with that vendor. More concerning, if you evaluate multiple vendors, but there is a substantial difference in the data age, the comparison will be skewed.

Ultimately, coverage hinges on the amount of VRAs funneled into a process, not a software, for evaluating each vendor’s security posture.

Coverage


VRAServices

SoftwareOption

Setting aside the issue of pre-populated data, a product inherently loses in this catergory because it is dependent on a VRA process to populate and leverage the software to deliver results.

Often softwares have prefabricated assessment Often softwares have prefabricated assessment templates, but this may actually slow things down as the templates are commonly carbon copies of one another and not easily adaptable to different vendors (e.g., web hosting companies, data processing companies, software development groups, material suppliers, etc.). This is effectively your organization communicating through boilerplate: irrelevant and communicating through boilerplate: irrelevant and generic questions resulting in limited responses and lack of actionable information.

By comparison, custom managed VRA services deliver strategic assessments with proper prioritizing, tailored questionnaires, and contextual analysis. A custom managed VRA service can identify which vendors provide the most critical services and prioritize accordingly, speeding up the assessments that matter most to your organization. Additionally, tailored questionnaires remove irrelevant questions tailored questionnaires remove irrelevant questions and facilitate vendor responsiveness by reducing the effort and time required to respond. Arguably the most important advantage a managed vendor risk assessment has over an automated software assessment is that your custom consultant can evaluate and summarize vendor responses according to your organization’s context and provide according to your organization’s context and provide actionable insight.

Speed


VRAServices

SoftwareOption

As a result, a software may have a speed advantage for starting a vendor risk assessment, but a custom manage VRA service wins the race for providing relevant, actionable information. For this reason, there is inherent dependency to use a well-managed process for VRAs that begins with proper scoping, contextual analysis and ends with residual risk analysis that is topical to the risk issues that the analysis that is topical to the risk issues that the company would be most affected by the vendor.


VRAServices

SoftwareOption

The goal of a VRA is to identify risks that undermine business. Instead, many of them are focused on simply finding gaps against overweight frameworks like the Shared Assessment Model (a framework that, after nearly 15 years, is still the de facto framework for VRA measurement due to the lack of ingenuity). VRAs need to scale and focus on risks that are relevant to the organization. Some risks identified during the VRA the organization. Some risks identified during the VRA are more relevant than others, and all depend on the nature of the vendor’s service(s) provided.

A custom managed VRA service is the clear leader when it comes to relevance. Risk relevance is critical because it considers vendor services, products, the context of your organization’s business strategy, deployment method, integration model, etc. An off-the-shelf software cannot compete with a tailor-fit service regarding understanding your organization, your personnel, position within your organization, your personnel, position within your industry, or using that understanding to identify relevant risks to your operations.

There is no comparison to conducting a risk evaluation tailored to your business and an out of the box risk analysis from a product vendor that may or may not have ever done vendor risk management within an organization. Risk relevance is critical because it considers vendor services and products in the context of your business model, deployment model, integration model, and more. Risk relevance model, integration model, and more. Risk relevance allows risk to be contextual to your organization and not that of a software. Risk cannot be universally relevant when it is out of the box, and the vendor risk

Risk Relevance


VRAServices

SoftwareOption

levels are the same for the companies that are evaluating such vendors.


VRAServices

SoftwareOption

Softwares generally fare better in integration simply because most have open APIs where information sharing is possible out of the box. However, custom integrations are possible with a managed service partner, like VerSprite, that can build custom interfaces, connections, and automation. Lack of integration with your vendor assessment tool means that only people with permission can access the that only people with permission can access the platform to see results or monitor alerts. This will delay the overall remediation process due to the slow, manual process of gaining access to reports.

In the end, the goal is remediation, and the integration finish line should be integrating into a central risk registrar or risk issue tracking system. As such, a service firm can easily build custom integrations when needed so that contextually relevant risks from VRAs can funnel into products like ZenGRC, JIRA, ServiceNow, etc.

Integration

VERSPRITE Vendor Risk Assessments09

VRA Sevices

ServicesOption

Vendor risk software and services generally run 6-figures for full enterprise coverage. Most CISOs fail to consider the operational costs beyond the initial outlay, forgetting to account for additional costs associated with the time and resources necessary to effectively use the software. Time investments to vet the out of the box risk determinations by softwares will still need to be conducted. Internal triaging and will still need to be conducted. Internal triaging and messaging of risk issues to corporate constituents, including legal, procurement, compliance, business units, and technology stakeholders, to conduct proper risk analysis and remediation guidance, which requires process-based investments for risk analysis, contextualization, and education. Although the unit price of a VRA software may seem like an easy way to price of a VRA software may seem like an easy way to cross off Third-Party Risk Analysis from your security control list, it’s critical to ensure you understand what auxiliary processes are needed to support internal workflows and factor in the costs, time, and expectations around the risk analysis before you think only a band-aid is needed to resolve a gunshot wound on third-party risk analysis. wound on third-party risk analysis.

Understanding the ROI (Return on Investment) for the average software is straightforward; however, it is more difficult to measure this against managed services. While it is possible to compare cost, time, and general output, you must consider several other variables that a Vendor Risk Management (VRM) partner will provide, such as a vested interest in improving security, scalability, proactively improving security, scalability, proactively streamlining systems/processes, and improving efficiency.

Cost


VRAServices

Software Option

It is also important to mention Capital Expense (CapEx) bottom-line impact being converted to Operating Expense (OpEx) when implementing managed VRA services.


VRAServices

SoftwareOption

Everyone loves a framework until you are trying to explain why a control within a framework makes sense to a constituent who should be benefiting from the risk analysis of a VRA. Remember, the purpose of VRAs is to identify security, privacy, or compliance risks that can affect the business. Frameworks help to identify the italicized part of the last sentence but do nothing for the latter part in bold. nothing for the latter part in bold.

Of course, many of today’s VRAs commonly embellish multiple frameworks to represent assessment findings through a framework lens. Many vendor risk softwares on the market are using UCF or SCF for comprehensive coverage of a wide list of frameworks (e.g., NIST, ISO, Shared Assessments, Google VSA, etc.). VerSprite recommends leveraging SCF to create hybrid assessment models that extend well beyond hybrid assessment models that extend well beyond the use of simply a VRA. However, no matter how useful any of these softwares and frameworks are, companies need to determine whether their risk assessment efforts that leverage these frameworks are using the embedded controls to do a control bar strategy or simply a gap analysis of controls within these frameworks. A custom managed VRA service these frameworks. A custom managed VRA service with VerSprite can still build a UCF or SCF backed solution, but most importantly, it is more contextually relevant to both the security program and the entire organization’s lines of business.

Framework Alignment


VRAServices

SoftwareOption

Similar to frameworks, both risk management softwares and managed VRA services cover a varying list of regulatory frameworks and requirements.

While vendor risksoftware gather point-in-time While vendor risksoftware gather point-in-time information from vendors relevant to regulatory requirements, most regulations are looking for some level of regard and oversight to sub-processors or vendors in business operations. The difference will ultimately be what risks are identified by the respective solutions and, most importantly, how those risks are avoided, mitigated, transferred, or those risks are avoided, mitigated, transferred, or accepted, which is a strategic decision your organization needs to make based on the analysis of those risks. A third-party risk management software cannot compete with a custom vendor risk assessment service for analysis and advising risk management strategy.

Compliance


VRAServices

SoftwareOption

This eBook provided an analysis of seven critical elements to compare, including coverage, speed, cost, risk relevance, integration, framework, and compliance, comparing vendor risk assessments and third-party risk management software.

With any interaction between an external party and With any interaction between an external party and an organization comes some form of risks that could lead to a disruption in your business operations. The risk associated with third-party vendors includes cyber threats, compliance issues, reputational loss, financial loss, disruption in business operations, and strategic risks.

When it comes to vendor risk management there When it comes to vendor risk management there may be one, or several factors that influence an organizations decision in choosing between an out-of-the-box software or partnering with a consultant for a custom solution. Organizations in a startup phase that have staff with some risk experience may be successful with vendor risk management software to keep costs low while management software to keep costs low while providing basic protection from third-parties. Other startup phase companies may have a leaner staffing situation and should consider avoiding the effort of trying to hire staff, train to appropriate levels and purchase software. Instead, it is more beneficial, faster, and more cost efficient for leaner startups to hire a vendor risk assessment partner.” Larger hire a vendor risk assessment partner.” Larger consulting firms that deal with many vendors should partner with a consultant firm to create an effective

Software vs. Managed: What Type of Vendor Risk Management is Right For You


risk management program that includes custom integrated contextual vendor-risk assessments. When reviewing a third party, vendor risk assessments services can analyze the top risks first to effectively advance the partnership with the third-party vendor while also keeping the organization safe. In any case managed assessments will not only keep you on track in the assessments will not only keep you on track in the onboarding process, but they will also provide more risk-relevant information because the assessment is tailored to your organization, not a pre-formulated framework. When making the decision to do a vendor risk assessment, it is important to pick an approach that best fits your organization’s overall needs, maturity level, budget, busines contingency plan, and capabilities.


VerSprite’s vendor risk assessments encompass many layers: operational, technology, security, compliance, and legal risk. We go beyond audit questions and checklists. Our methodology centers around a contextual risk analysis of vendor services to our clients, coupled with security risk management frameworks that are relevant to your controls.

Protect Your OrganizationFrom Third-Party Risks

Take a Look


Additional Geopolitical, Risk, and Compliance Resources

Understanding Your Vendor Risks Beyond Compliance

https://versprite.com/security-offerings/grc/vendor-risk-assessment-services/

https://versprite.com/security-resources/blog/security-governance

https://versprite.com/security-resources/blog/security-governance

Documents

VENDOR RISK ASSESSMENT SERVICES vs. SOFTW ARE