Why Standardized Vendor Security Scoring Doesn’t Work
In business, we rank everything from our website’s placement on Google to our spot on the Fortune 500 list (if we’re that lucky). Rankings represent a relationship between a set of items. For any two items, one will be ranked higher, lower or equal to the other item. As such, rankings tell us where we stand in relation to others in our category. When applied to a scale, it gives us insights into our position or classification and can also convey status or a hierarchy.
In order to rank a group of objects, all objects in the group must have one or more common denominators. It would be futile to try to rank a group of giraffes against a group of astronauts. There is no valid common denominator between these two groups so the resulting ranking would be nonsense. The same can be said for standardized vendor security scoring.
The Flaw in Vendor Security Scoring
Once it was revealed that third-party vendors could pose a serious threat to businesses, the need to score them became evident. Vendor security scoring quickly evolved into a vigilante process of security companies launching vendor risk management (VRM) platforms based on a contrived scoring methodology. Vendors are asked a series of questions and a risk-based measurement is applied to each question in order to achieve an overall ranking or vendor score.
The flaw in most VRM platforms is simple: They are ranking giraffes with astronauts.
Think about the vendors you currently use at your business. You probably use a beverage delivery service that stocks your kitchen with coffee, coffee filters, sugar packets, creamer, etc. The delivery service personnel spend maybe half an hour each week inside your business and typically just access the kitchen area. They have no access to your server room or data, so their security impact on your business is minimal. If your beverage delivery service experienced a security breach, it probably would have no effect on the security of your business.
Your cloud service provider, however, is a completely different animal. They may not spend any time inside your business on a regular basis, but they have access to all of your critical data. You expect them to have appropriate business continuity and disaster recovery plans in place. Their security practices must be top-notch in order to avoid a security breach, which could potentially take down your business and theirs.
Does it make sense to score both of these businesses using the same scoring system? No.
An Industry in Need of Less Standardization
Most VRM platforms available today apply either a numeric (similar to a FICO score) or alphabetic (such as A through F) ranking to vendors. Based on the number or letter applied to the vendor, the resulting score usually places the vendor in one of the following categories: low risk, medium risk, high risk or critical risk. The problem with this logic is that a vendor ranked “low risk” for one business could prove to be a serious security threat to another.
Another issue is oversimplification. By oversimplifying the vendor scoring process, VRM platforms have taken the objectivity out of the equation. As a business, you have no insight into the thresholds set inside the platform that designate one vendor as “low risk” and one vendor as “medium risk.” Without knowing the behind-the-scenes details of how a vendor’s score is calculated, you’re basing your company’s security on a singular metric. Third-party risk is exponentially more complex than this.
Your Participation is Mandatory
To truly protect the security of your business, your management team should begin by categorizing all vendors. By grouping similar vendors together, such as your beverage delivery service with your office cleaning company, you can begin comparing apples to apples and score these businesses on the same scale.
Once categorized, management should create a scoring system for each category. Identify which risk factors you care about for each grouping of vendors. Next, weigh each risk factor to determine the scoring methodology by category. This scoring methodology becomes the foundation for developing appropriate vendor security questionnaires based on the impact each vendor has on your business.
It is at this point in the process that you should engage a VRM platform, not before. However, you must find one that allows for vendor risk scoring customization, not one that applies set risk values to all vendors. Your customized security questionnaires are integrated with the platform and, once completed, you define the thresholds for low, medium, high or critical risk groups. This is the only way to know the true security impact on your business.
Vendors can easily put the security of your business at stake. Vendor risk management cannot be a “one-size-fits-all” endeavor, nor can it be a process that removes you from the equation. Your involvement is a critical component. Without it, you’re leaving the future of your company in the hands of generalists that know nothing about the unique nature of your business.
To learn how ProcessBolt helps you build a customized vendor risk assessment program with category-based security questionnaires and engages you to define your internal scoring methodology, schedule a demo today.