Why Vendor Collaboration is Critical in TPRM and How to Do It Right

Written by: Jason McLarney

In an ever growing globalized business landscape, organizations rely on hundreds or even thousands of vendors for various services. But what happens if one of these vendors has a vulnerability that could compromise your business’s operations, intellectual property, or sensitive customer data? 

In these situations, you ultimately want the vendor to do something about your concerns, as failure to do so could put your business at risk or go against compliance requirements. However, there are right and wrong ways to reach out to your vendors about your security issues. 

In order to successfully collaborate with your vendors, it’s essential to focus on the data points that matter most and provide actionable, concrete suggestions for next steps. Let’s dive into what this type of collaboration looks like practically and how to avoid common roadblocks along the way.

But What If My Vendors Aren’t Interested in Collaborating?

It might sound challenging to facilitate strong vendor collaboration because you’ve been “ghosted” by vendors before. It’s a common story: a team wants to address third-party risk with their vendors but gets ignored when they reach out. To understand why this happens, we have to look behind the scenes at what’s really going on with the vendor. 

Lack of response often happens because your team sent outdated/vague data, or worse yet, asked the vendor to fill out a generic questionnaire. Either way, the vendor is likely overwhelmed by other customers’ concerns, leading to inaction when they receive unactionable data or time-consuming questions without any reward.

But if the vendor’s job is to service their customers, why is feeling overwhelmed an issue? There are two main reasons why. For one thing, vendors tend to get bombarded by countless customers’ concerns daily and have no way to satisfy all requests. For another, they aren’t getting good, actionable data that makes it clear that a change needs to be made. So what do they do? They give up and risks are not reduced.

What Conversations With Vendors Should Look Like

Timely, clear, and data-backed communication with these overwhelmed vendors can make all the difference. Your goal should be to avoid vagueness when you correspond with the vendor in question, instead giving them the context and data they need to take the best next steps. The conversation should look like the following:

Proactive

As you start new relationships with vendors, set a foundation of clear communication in case future issues arise. Introduce yourself to key contacts so you have an open line of communication and a Rolodex of resources to call upon if needed. Openly share your willingness to collaborate and be a partner to your vendor.

Timely

Choose an opportune time to bring up your interest in collaborating with a vendor to mitigate risk. It’s a great idea to bring up this risk conversation when you have their undivided attention, such as during onboarding or renewals (mainly, when a contract needs to be signed). When the time is right, explain to the vendor that you’ll proactively share risk intelligence to help them mitigate potential threats as early as possible (like a spike in ransomware susceptibility). It’s essential not to bombard your vendor with requests at this stage. Set the precedent that you’ll only contact them with the best-quality data and most pressing issues.

Clear, data-backed, and actionable

When you do bring an issue up to a vendor, it’s important to offer clear information about the risk, including the following details: 

• What the risk is and the effects it can have if left unmitigated
• Sharing the specific susceptible assets found in the vendor’s environment
• Step-by-step actions to remediate the risk
• Data that backs up the above information
• A proposed remediation timeline
• Communication of the benefits of mitigating the issue
• A point of contact or reach out to in case they have questions

You should provide enough data points to paint a clear picture of the risk without overwhelming the vendor team. Plus, sending high-quality and highly targeted data is mutually beneficial for both you and your vendor. Proving that you can send valuable, actionable insights will ultimately bolster the relationship. 

Partnership-focused

To ensure that you only bring up the most essential information, your team should do some groundwork before contacting the vendor. This process starts by involving the right internal stakeholders. If the risk you’ve uncovered will affect any other teams at your organization, such as business unit owners and executive leadership, it’s a good idea to speak with them first. In many cases, one of these other teammates will have a strong relationship with the vendor and you will end up playing an advisor role in helping them facilitate this conversation. You should only bring a concern to a vendor once you’ve exhausted all internal options and checked vendor resources such as status pages.

Top Two Roadblocks to Effective Vendor Collaboration

Maybe all of these characteristics of strong vendor communication sound great in theory but challenging to do in reality. There are two reasons as to why many businesses feel this way.

1. Scalability

Managing third-party risk at scale can be a massive undertaking. To start a single risk-related conversation with a vendor, you might find yourself following a rabbit trail of communications. You might uncover a vulnerability in one system but then need to bounce between other applications to get business unit owners, executive leadership, and/or the vendors themselves into the conversation. It’s a cumbersome process that many security teams don’t have time or resources to do, making it challenging to scale up third-party risk management efforts and secure a large vendor ecosystem. As a result, it can be challenging to facilitate strong partnerships, leading to breakdowns in communication with vendors.

2. Reporting

As mentioned previously, vendors need their customers to provide precise, actionable data. However, many of today’s third-party risk management options simply don’t offer this type of rich data, and it’s not rooted in a common language based on open standards like MITRE and NIST. This erodes trust from the start. In fact, most only provide a retroactive look at a vendor’s cybersecurity posture, which doesn’t help identify potential future threats or offer actionable remediation steps to mitigate those risks. 

It’s also challenging to gain a clear vantage point of your vendor relationships and third-party risk without end-to-end reporting. In some cases, it’s even possible for vendors to go unnoticed in a large cyber ecosystem, increasing the possibility that they could get caught unaware by a third-party risk (or a risk from within the vendor’s ecosystem). Ultimately, if you don’t have the right data in the first place, there’s no way to share it with your vendors.

A Better Way to Collaborate with Black Kite

Black Kite has seen these challenges play out many times: a team wants to provide better data to their vendors and facilitate a more responsive and collaborative relationship, but lacks the resources and time to do so. 

That’s why we offer a centralized platform for cyber third-party risk management. Our customers have access to granular, real-time data based on industry-accepted frameworks and centralized vendor dashboards that enable them to see and understand the risk level of each vendor relationship. Our solution enables you to:

• Access rich, asset-level data that identifies vulnerabilities and zero-days before most other companies even know about them. 
• See how risk data maps directly to the MITRE Att&ck framework and which remediation steps to take.
• Leverage out-of-the-box reporting & automation tools to scale with the same team size and resources.

Further, customers can leverage the new Black Kite Bridge^TM to scale vendor collaboration and response to emerging threats. With this capability set you will be able to:

• Identify vulnerable vendors and share timely intelligence through a vendor-curated experience, in only a few clicks.
• Track & report remediation progress in a centralized dashboard.
• Benefit from the entire Black Kite Bridge^TM community (other customer-vendor relationships) in a joint-effort to respond to emerging threats and raise cyber security of the supply chain.

Read more about how Black Kite Bridge^TM can strengthen your vendor relationships in our blog, “Introducing Black Kite Bridge: Vendor Engagement to Reduce Supply Chain Risk at Scale.”