March 7, 2022

Last Updated on January 13, 2024

What will be the key trends shaping the information security space in 2022? John Verry, Pivot Point CISO and Managing Partner, offers his outlook on 2022 in a fast-paced briefing format on a recent episode of The Virtual CISO Podcast.

John’s #6 prediction follows from a longstanding industry challenge that the evolving cyber-crime and regulatory landscapes have magnified—vendor risk management. Vendors constitute significant risk that companies must address, yet the associated due diligence is costly and time-consuming. In John’s view, a high percentage of firms will look to rationalize their vendor lists in 2022 in an effort to reduce their risk management burdens.

Typical vendor due diligence costs

John states,

“Companies are going to look to reduce the number of vendors they use. This could significantly impact you as a user of vendors, or if your business is typically a vendor to your clients; if you’re a CSP, a business process outsourcer or a law firm, for example.”

John continues: “Recently I had an interesting conversation with a Fortune 500 firm. I was talking with their vendor due diligence people about potentially doing some work for them in that area. They mentioned to me that they had approximately 700 law firms in their vendor database. Generally speaking, if you can do vendor due diligence on a partner for… the cheapest I’ve heard with orgs building their own programs and outsourcing to a lower-cost offshore facility… you might hear between $1,200 to $1,400 per vendor. If you’re doing it onshore, you’re typically going to hear an average cost of about $2,000 per vendor.”

“So think about it from that perspective: if they’ve got 700 law firms, that’s $1.4 million worth of vendor due diligence. And this enterprise had a stated goal of reducing that number by 75%, which makes complete sense,” adds John.

The only logical response

A theme in this podcast is what would be “the only logical response.” In this case, reducing the number of vendors is just a logical response to the cost and complexity of managing more and more third parties, especially as businesses rely more heavily on cloud services.

Another contributing factor is overall supply chain risk, sometimes called “fourth-party” risk. This is the risk to you from your vendors’ vendors. How do you know if a vendor is doing the right things security- and privacy-wise with its supply chain partners? That’s a tough question to answer with confidence. But one thing is for sure: the fewer vendors you have, the less supply chain risk you need to worry about.

Finally, John notes the shortage of qualified people to handle all this vendor research. When you reduce the amount of due diligence you need to do, you reduce the impact of that staffing shortage along with associated payroll costs.

Next Steps

To hear John’s 2022 forecast briefing in its entirety, click here.

Concerned about third-party risk? Here’s a recent blog post that explores why this function is so problematic for so many businesses: The Not-So-Great State of Third-Party Risk Management.