When it comes to vendor risk, what are the pros and cons of product and custom managed services? Which is better for your organization? Consider the below KPIs to see how each stacks up and why custom is the way to go.
Although a product may have the initial head start with a certain number of vendors in their product database, we secret shopped some tools and couldn’t get a definitive answer on the percentage amount typically covered by product vendor risk platforms to their client vendor rosters. Also, the quality of that coverage may actually not address the risk analysis and control coverage needed.
Inherently, platform loses because it relies on man power to manage the vendor risk process. A lot of vendor risk companies have actually reached out to us at VerSprite to manage their products for their client installations. Product without process simply doesn’t thrive. For this reason, there is inherent dependency to use a well-managed process for vendor risk that begins with scoping and ends with remediation queues and risk management.
There is no comparison to rolling your own risk evaluation compared to out of the box risk analysis from a product vendor that may or may not have ever done vendor risk management within an organization. Risk relevance actually can catalyze the speed in which assessments are queued up and completed simply because most product companies are using a full roster of controls from a framework and those have nothing less than hundreds of controls which may not be relevant to the context of service(s) being provided by the vendor. This is why vendor risk frustrates not only the vendors but also the business units that are trying to employ their services.
Products generally fare better here simply because they have open APIs (most of the newer ones; not the older products) where information sharing is possible out of the box. However, custom integrations are possible with a managed service partner that can build custom interfaces as is the case with VerSprite’s SecOps group who would do such a function as part of a managed vendor solution.
Vendor risk platforms and services generally run 6 figures for full coverage. This column is meant to reflect TCO (Total Cost of Ownership). A product alone can’t drive itself and PM the assessment queues, pursue non-conforming vendors, foster remediation, and manage integration with risk registers by themselves. A full managed service should include all of the above and more (ex. – SecOps custom integration) so that no hidden fees are present.
Many of the vendor risk tools that are on the market are using UCF or SCF for a comprehensive coverage of a wide list of frameworks (NIST, ISO, Shared Assessments, Google VSA, etc.). The already present multi-framework inclusion puts products out in front. However, companies should be careful to recognize whether their ultimate risk management strategy is simply a gap analysis of these controls.
This happens a lot within organizations where they throw away the risk management playbook for vendors, and their vendor risk management strategy turns into a control gap analysis of the frameworks provided by tools. A custom managed service with VerSprite can still build a UCF or SCF backed solution as part of a tailored vendor risk managed service program.
Both service and product-based solutions will address regulatory requirements from GDPR to FINRA. Most regulations are looking for some level of regard and oversight to sub-processors or vendors in a business’s operations. The difference will ultimately come on what risks are identified by the respective solutions and most importantly, how those risks are actually managed via remediation, transference, avoidance, or acceptance.
VerSprite’s expertise in vendor risk encompasses many layers: operational, technology, security, compliance, and legal risk.
We go beyond audit questions and checklists. Our methodology centers around a contextual risk analysis of vendor services to our clients, coupled with security risk management frameworks that are relevant to your control objectives.