August 20, 2020

Last Updated on January 4, 2024

The so-called “iron triangle” of project management states that you can make something better, faster OR cheaper—pick any two. But you can never have all three. Making it cheaper makes it less good, making it happen faster increases cost, making it better probably increases both cost and time… You get the idea.
And when it comes to vendor risk management (VRM), you’re lucky if you can get even one good thing going for you. Despite many well-intentioned efforts, VRM tools and practices have long remained a huge time and resource sink for SMBs. No wonder so many SMBs have a weak or nonexistent VRM program, even as headlines and studies trumpet the massive information security risk that vendors present.

What’s to be done about time consuming, expensive, and low quality vendor reviews?

A recent episode of The Virtual CISO Podcast from Pivot Point Security describes a newly available expert system that paradigm-shifts the whole VRM iron triangle on its head. Better, faster AND cheaper vendor risk assessments have arrived—and your business can do it, too.
In this unique podcast episode, host John Verry, Pivot Point Security’s CISO and Managing Partner, talks with Kevin Hermosura, Pivot Point Security’s VRM practice lead. Their conversation raises awareness about fundamental VRM problems, and explains (without being “salesy”) how Pivot Point’s Accelerated Vendor Risk Management (AVDD) solution solves these intractable VRM problems.
As John says, AVDD embodies “20-plus years of our security expertise and our third-party risk management expertise,” and further advances are in the works. Pivot Point has been using the system to streamline risk assessments in its ISO 27001 engagements, and more recently has extended the expert system to automatically create “right-sized” vendor risk management questionnaires. “Risk is risk, whether the scope is purely internal or involves a third party,” John asserts.
As John and Kevin describe, the key challenges that AVDD is designed to solve are the difficulty with scaling a VRM program, combined with the marginal results of “one-sized” questionnaires and similar approaches. Canned questionnaires and automated services generally provide an incomplete view of total vendor risk, leading to a false sense of security (literally). Multiply that by the dozens of vendors that most SMBs have, and data breaches are the all-too-frequent result.
Not only do conventional approaches often miss the mark on due diligence, but also they largely ignore the shared responsibility view that is critical to mitigating vendor risk. A questionnaire-driven program inherently tends to put the onus on the vendor without considering the client’s responsibilities in the arrangement.
Cloud services, cleaning services… all outsourced services imply a shared responsibility model. For example, it’s the responsibility of a custodial service to do background checks as part of hiring. It’s the client’s responsibility to a) confirm that they do so, and b) have a “clean desk” policy to complement that.

How does AVDD help with VRM?

Leveraging a predefined library of vulnerabilities and threats, it calculates every potential risk to your unique business based on the data types managed, impact of the data being compromised and likelihood of an issue taking place. This business- and vendor-specific risk analysis is then automatically applied to generate highly targeted, vendor-appropriate risk assessment questionnaires.

These questionnaires help drive VRM that is:

  • Better, because targeted questionnaires ask all the right questions and are filled out more comprehensively because the vendor isn’t frustrated by lots of inapplicable questions

  • Faster, because they come back to you quicker and are quicker for you to process

  • Cheaper, because they require less time, are highly cost-effective to generate, dovetail with automation that streamlines overall vendor management, and reduce risk and hence the potential of expensive breaches, data loss from ransomware, etc.

if you’re ready for a paradigm shift in how you manage third party risk and assess your vendors, this Virtual CISO Podcast episode is for you.
To hear this show in its entirety, and also explore the many other episodes in The Virtual CISO Podcast series, click here.
If you don’t use Apple Podcasts, you can find all our episodes here.

TPRM for SMBs guide

Through our 17 years of experience, we've collected these 5 fast-track best practices for implementing a vendor risk management program as a small- to medium-size busiess (SMB).
Download our free TPRM PDF guide now!