As the number of vendor-related security breaches continues to rise, companies are scrambling to write and send out third-party risk assessments. Vendors, who are required to complete lengthy questionnaires in order to continue doing business with these companies, face an incredible burden. Depending on the industry, some third-party risk assessments are topping out at 600 questions, requiring thousands of hours of work for the vendor. And it’s only getting worse.
According to PwC’s Global State of Information Security® Survey 2018, the number of data breaches attributed to third-party vendors has increased by 22% since 2015. The same survey found that only 52% of companies have security standards in place for third parties. As the regulatory environment changes and regulators begin to recommend, and in some industries require, third-party risk assessments, the number of companies adding security standards will increase.
For vendors, this will result in an increased number of security risk questionnaires each year. It will also require you to hire additional security analysts who will spend most of their workday completing questionnaires in order to do business with your customers.
The Rising Cost of Third-Party Risk Assessments
As the number of companies conducting third-party risk assessments rises, it’s important to understand the costs involved for your business. As a vendor, the number of questionnaires will only increase, and so too will the cost of completing these questionnaires.
Let’s assume you have one information security analyst that is responsible for completing third-party risk assessments on behalf of your company. You pay this security analyst $150,000 annually and you receive 100 vendor risk questionnaires per year. Since every questionnaire is different, let’s assume it takes your analyst an average of 8 hours to complete each questionnaire:
100 x 8 = 800 hours per year completing questionnaires
$150,000 / 2,080 work hours in a year = $72.10 per hour
800 x $72.10 = $57,680 spent completing questionnaires
These numbers are conservative compared to many companies that are managing dozens of third-party risk assessments each week. However, spending more than one-third of your security analyst’s salary answering questionnaires each week is wasting money and your analyst’s time.
You must also take into account the cost of that security analyst leaving for another company. The answers to every questionnaire are stored inside the head of your analyst, not in a central repository. When they walk, so does your information. It’s difficult to put a price on the loss of that much data.
Vendor-Focused Third-Party Risk Assessments
Your security analyst was hired to protect the security posture of your business. Spending more than one-third of their time completing questionnaires for other companies puts your business at risk. Plus, the monotony of completing questionnaire after questionnaire can drive some analysts to seek employment elsewhere.
To ease the burden on your analysts, eliminate the monotony, improve efficiency and safely store your security information, ProcessBolt has taken the vendor’s perspective in mind when creating their vendor risk management platform.
ProcessBolt eliminates the monotony and can save your analysts an incredible amount of time by allowing vendors to upload their standard risk assessment answers into the ProcessBolt Knowledge Base. When a questionnaire is received, vendors submit the spreadsheet to the Knowledge Base and ProcessBolt’s data-matching technology matches the questions to the answers. Any unanswered questions can be assigned to team members, and those answers are added to the Knowledge Base for future use. Artifacts and compliance documents can also be added to the Knowledge Base and attached to the completed questionnaire before it’s sent to the customer.
By utilizing ProcessBolt’s Knowledge Base, vendors can answer each security question once, not over and over again on every single questionnaire. Ultimately, this could reduce the amount of time spent completing questionnaires by up to 90%. According to our previous cost analysis, using ProcessBolt could save your company $51,912 per analyst each year and can free up their time to focus on the security of your own business.
To learn how you can save time, money and resources using ProcessBolt, complete this form to sign up for a demo.