Third-Party Risk Management: How to Get Your Vendors on Board

So you’ve finally stood up a proper third-party risk management (TPRM) program. You’ve got your vendors inventoried, their risks assessed and technologies selected to keep them on the straight and narrow. That was the easy part, believe it or not. Now, you’ve got to convince all your vendors (or any third party or contractor!) to get in line and do things the new way. No more using SSH or RDP to pop right into the heart of your network. No more nailed-up VPNs without segmenting. And, probably most annoying to them, filling out your annual vendor assessments.

Where do you even start to get that part done? Because here’s the issue: If you don’t get them to participate, all the hard work on your third-party risk management program can come to naught. Here are a few strategies for not only getting vendors to fully participate but also lowers your third-party risks. 

The ‘Stick’ Method for Risk Management

If you’ve done all the nagging and cajoling and you’ve still got a few vendors who just aren’t getting with your third-party risk management program, it’s time to turn up the heat. You can try throwing a wrench in renewals negotiations to gain their cooperation. You might rate them as a high-risk vendor and require them to jump through additional hoops to get access. And finally, when it comes down to brass tacks, you can simply “sunset” the old processes and technology so they are forced to use the new methods for access. Sometimes this staring contest fails, but most vendors will eventually fall in line—especially once their revenue and efficiency ratings are on the line. 

It’s the Law!

If threats don’t move them, you can fall back on legal requirements if you are in an industry that has regulation over third-party risk. This includes most industries now, with privacy regulations that affect every vertical, such as GDPR and CCPA. If needed, make sure you also leverage your compliance officer and staff for more firepower in your third-party risk management program. If their reticence could cost you fines and citations, then the CFO and other power brokers will add their voices to yours. The vendors themselves are often under these regulations as well, so you can also bring in their internal risk people who will understand how important it is and push to get it done. Though most breaches or issues are tied to the enterprise, vendors are also under fire, too. Let’s not forget AMCA who filed for bankruptcy just months after their data breach.

Using a Solution Your Vendors Use

This shouldn’t be the first criteria for picking a vendor access platform, but it does make it a lot easier. Do a survey of your vendors to see what technology they know and use with other customers and why they use that solution when you’re looking for a new platform. This can also be a valuable feature and customer service research while you’re searching. In addition, this is a great way to better understand what your vendors use, and if there is a product that your vendors have in common, it should definitely make it onto your list when researching. 

On top of all the other benefits, a big one is that it eliminates one of the larger problems (and one of the most stressful parts when changing platforms): dealing with giant, well-known vendors with which you have little leverage over. If you are using the same platform as them, no migration required, and there’s one less vendor to deal with on the tech side. Everybody wins! 

Third-Party Risk Management: Don’t Do it Alone!

Getting a large number of vendors on board to a new access platform can be a significant amount of work, even for ones that are easy to implement. The act of tracking down the internal owners, setting up meetings, training and more can amount to dozens of hours for a single vendor. If they offer it, use professional services from your vendor for this. They will have the most experience with their platform and there won’t be finger-pointing when something goes wrong.

The cost for such a service can vary widely; some solutions include this in their implementation services, others charge significant sums and sometimes it can be even more than the original license costs. This can also be a negotiating point when talking to solution providers. They will often throw implementation services or discount it heavily to get the recurring revenue of your contract, especially if it is multi-year. Even if you have to pay, it is well worth the price to have the extra help and be able to put the responsibility on them to make sure your third-party risk management program is fully successful. 

Without doing this last step properly, your whole third-party risk management program can be put at risk. Vendors who can’t or won’t move can derail the whole project. This also might be a red flag when thinking about your vendor relationship! Thinking ahead when designing your third-party risk management program about the vendor implementation part can avoid this issue and get your vendors using more secure methods as quickly as possible. 

Avatar photo

Tony Howlett

Tony Howlett is a published author and speaker on various security, compliance, and technology topics. He serves as President of (ISC)2 Austin Chapter and is an Advisory Board Member of GIAC/SANS. He is a certified AWS Solutions Architect and holds the CISSP, GNSA certifications, and a B.B.A in Management Information Systems. Tony is currently the CISO of SecureLink, a vendor privileged access management company based in Austin.

tony-howlett has 14 posts and counting.See all posts by tony-howlett