Your vendors have your data. Some of them have access to your systems. A few of them could take your entire operation offline if they had a bad Tuesday. A vendor risk management program is how you stop finding this out the hard way.
The SolarWinds attack compromised 18,000 organizations. The MOVEit breach hit hundreds of companies through a single file transfer tool. The Change Healthcare incident paralyzed claims processing for US healthcare providers for weeks. What do these have in common? None of the affected organizations got hacked directly. Their vendors did.
This is third-party risk: the idea that your security posture is only as strong as the weakest link in your supply chain. You can have perfect internal security controls - MFA everywhere, patched systems, trained staff - and still get breached because your payroll provider, your cloud backup vendor, or your IT support firm had a gap that someone walked through.
A Vendor Risk Management (VRM) program is the formal process for identifying which vendors pose that kind of risk to you, assessing their security posture, setting contractual requirements, and monitoring them over time. Think of it as extending your security program outward to cover the places where your data and systems live outside your walls.
Plain-English definition: Vendor risk management means figuring out which of your vendors could get you hacked if they got hacked, then doing something about it before that happens instead of after.
You cannot manage risk you don't know about. The first step is a complete inventory of every vendor your organization uses - not just the obvious ones like your cloud provider or your IT firm, but the long tail of SaaS tools, consultants, contractors, and service providers that have crept in over the years.
Pull vendor lists from accounts payable, interview department heads, review software installed on company devices, audit your credit card statements for SaaS subscriptions, and check your cloud environment for third-party integrations. Most organizations find 20-30% more vendors than they thought they had. The shadow IT is real.
For every vendor: what services they provide, what data they access (if any), what systems they connect to, the business owner internally, the primary contract/agreement, and the renewal date. This becomes your vendor register - the foundation of your entire VRM program.
Not every vendor deserves the same level of scrutiny. Your IT managed services provider that has admin access to your infrastructure is not the same risk as the company that delivers your bottled water. Tiering focuses your effort where it matters.
Risk tiering is how you avoid spending two months assessing your video conferencing vendor while your cloud backup provider hasn't been reviewed in three years. A simple three-tier model works for most organizations:
These are vendors where a breach, outage, or failure would cause significant harm to your organization. Criteria for Tier 1 classification:
Examples: IT MSP, payroll processor, cloud hosting provider, HR system with employee data, financial software with bank access.
These vendors handle some sensitive data or provide important services, but the blast radius of a failure is more contained. A shorter questionnaire and annual review is appropriate.
Examples: Email marketing platform, CRM system, project management tool with customer data, recruiting software.
These vendors provide commodity services with no access to sensitive data or critical systems. Standard contract terms and a basic security clause are sufficient.
Examples: Office supplies, facilities services, general SaaS productivity tools with no sensitive data, marketing agencies without system access.
For Tier 1 vendors, you need an actual security assessment - not just a checkbox that says "they signed our security addendum." There are three common approaches:
You send the vendor a structured questionnaire covering their security controls. This is the most common approach for small and mid-size organizations because it's scalable and puts the burden of response on the vendor. A good questionnaire covers access control, data encryption, incident response, backup and recovery, subcontractor management, and compliance certifications.
The honest limitation: vendors fill out questionnaires themselves, which means you're trusting their self-reporting. A vendor that says "yes, we have MFA everywhere" might mean "yes, our CEO uses MFA on his laptop." Verify where you can.
Ask for their SOC 2 Type II report, ISO 27001 certificate, or equivalent. These are independently audited, which makes them significantly more reliable than self-reported questionnaire answers. Most mature vendors will have at least one of these. If a Tier 1 vendor has nothing - no SOC 2, no ISO 27001, no independent security assessment of any kind - that's a risk flag worth escalating.
For the most critical vendors, you may want to request results of their most recent penetration test (typically a sanitized summary, not the full report). Some organizations exercise a right-to-audit clause in contracts that allows them to conduct or commission an assessment of the vendor's environment. This is rarely practical for small organizations but worth including as a contractual right even if you rarely exercise it.
Vendor pushback is a data point. A vendor that refuses to provide a SOC 2 report, won't answer security questionnaires, and actively resists your right-to-audit request is telling you something about how seriously they take security. That's information. Use it when deciding whether to renew the contract.
Assessing a vendor's current security posture is only half the job. The other half is making sure your contracts lock in ongoing security obligations. Key clauses to include in vendor contracts:
A vendor assessment done once and never revisited is a snapshot, not a program. Vendors change: they get acquired, their security teams turn over, they add new subcontractors, they get breached. Your program needs to account for that.
Minimum ongoing monitoring activities:
Larger organizations use continuous monitoring tools like SecurityScorecard or BitSight that passively scan vendors' public-facing infrastructure for security indicators. For smaller organizations, a combination of annual questionnaires and Google Alerts gets you most of the coverage at a fraction of the cost.
Stop building questionnaires from scratch every time you onboard a new vendor. Our Vendor Risk Assessment Questionnaire template covers all the critical domains - access control, data handling, incident response, business continuity, subcontractor management, and compliance - in a structured format vendors can actually fill out efficiently.
You don't need a dedicated third-party risk team to run an effective VRM program. You need a vendor inventory, a tiering methodology, a questionnaire for critical vendors, security clauses in your contracts, and an annual review cycle. Start with your five most critical vendors, get those assessed and documented, then expand from there.
The goal isn't perfect coverage of every vendor. The goal is making sure that when a breach happens somewhere in your supply chain - and statistically, it will - you either already knew about the weakness and mitigated it, or you at least get notified quickly enough to respond before the damage compounds.
No spam. Just practical security guidance and new resources when we publish them.