Why Vendor Management Questionnaires Need to Be More Efficient

More Data, More Regulations, More Challenges

Each day across the world, organizations are relying on one another for professional services and support in multiple areas. Sometimes, it’s because current staffing can’t support the demands being placed on them. Other times, it’s because internal solutions don’t exist and would be too costly to build. Or it’s just a matter of convenience.

Whatever the reason, companies enter into arrangements with one another for a variety of needs. While not all companies require a contract or an extensive discovery session, many B2B services will — especially when it comes to companies that will be storing information about your organization or your customers’ information. 

In situations like these, it’s common for companies to have a vendor manager or vendor management team to evaluate those service providers and their security practices. One of the ways they initiate this evaluation is with a vendor management questionnaire.

While a standardized vendor management questionnaire would be great, we all know this isn’t possible. Different industries have specific regulations and governing bodies that require certain security and data responsibility practices such as these questionnaires. Healthcare has the Health Insurance Portability and Accountability Act (HIPAA). Retail and others have the Payment Card Industry Data Security Standard (PCI DSS). And the financial services industry has the Gramm-Leach-Bliley Act (GLBA), among others.

Outside of specific industries, domestic companies doing business internationally have General Data Protection Regulation (GDPR) requirements they must follow. And let’s not forget that many states are implementing their own versions of GDPR — including the California Consumer Privacy Act (CCPA), the Ohio Data Protection Act, and the New York Privacy Act.

While vendor management questionnaires vary across these industries, one thing ties them together: keeping companies, and even the client in the relationship, accountable for certain data practices to avoid becoming “the next big breach.” 

The Goal is Important, But the Process is a Problem

As the use of cloud-based services and other third-party solutions increases, so does the use of vendor management questionnaires. It has to happen, and it should happen, but we’re making this process harder on ourselves than it has to be. There are a few reasons behind this:

1. Lack of internal development or process means companies are using third-party questionnaires. These questionnaires range from 20 questions into the hundreds and likely don’t fit your organization. In some instances, companies are making up their own questionnaires, which is an unnecessary effort. Sometimes, the questions don’t even align with the services being provided. Some organizations even outsource the entire questionnaire to a third party — further weakening its connection to their business. 
2. Once the questionnaire is received, what happens next? Not every company has a defined process, so this can include anything from a few more rounds of questions to a simple approve/reject decision with little context on the decision itself.
3. The people responding to vendor management questionnaires are typically entry-level or analyst-level positions. Senior roles are often not involved except for a final review. If something were to be missed or poorly explained, this can have a significant impact on the resulting business decision.

While the responder must be truthful in their responses on the questionnaire, navigating these vendor management challenges quickly becomes a burden (and will be a burden for the issuer soon, too).

It’s Only Going to Get Worse

The regulations mentioned above are just the beginning. As breaches, scams, and other cybercrimes continue to increase in frequency, governing bodies, industry associations, and even organizations themselves will be placing greater emphasis on regulation and control. In turn, this means more assessments will be built and sent out to third parties. The assessments themselves will continue to grow and will also include more and more privacy-related questions.

As the scope of these vendor management questionnaires continues to expand, the demands placed on third-party vendors who are answering multiple questionnaires at a time increases, too. What can be done to make this process more efficient?

Nothing Changes if Nothing Changes

This applies to both the company issuing the vendor management questionnaire as well as the company responding to it. Whether you’re looking for information security services, are an organization providing them, a retailer or manufacturer looking to protect customer data, or a company that can take care of that for someone else, consider what you’re really asking your prospective third-party service providers. There are a number of vendor management best practices that you can employ to make the process more efficient.

Vendor management security questionnaires are important. They need to be asking the right questions — questions that matter in your industry, to your company, and to your customers (and of course, to regulators). More importantly, these questions will help you better define and narrow down the kind of vendor you really want to be working with.

Also, consider how you’re handling vendor management questionnaires internally. Issuers: is this a function for junior staff? What questions are they asking? Are they qualified to review responses? Responders: who’s answering the questionnaire? Are they qualified? Do they actually know the responses? Are they checking with people who do know? Are they verifying with senior leadership?

As for risk, you may be in a situation where a preferred vendor or the leading candidate for a service actually carries more risk than expected or wanted. But should that immediately disqualify them? What are the circumstances, particulars, etc.? Collaborate with your vendors to understand why a risk is in fact a risk. Finding a solution often comes down to having a conversation.

For companies looking for third-party help, integration early on is also important. Approving a vendor for use doesn’t mean everything’s easy going forward. How do they get set up? Who are the stakeholders? How are their services deployed? Additionally, can anything be automated to further reduce the burden on your company?

Screen Wisely

We’d like to hear your thoughts on this multi-industry challenge as well as share how we navigate this process as a third-party information security services provider. Inversion6 supports a number of clients with vendor management questionnaire responses and more, saving them significant time and hassle. Fill out the form below to learn more.