Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
In Defense of Data

Vendor Risk Management in the Age of Everything-as-a-Service

Created: 19 Jun 2012 • Updated: 03 Feb 2014 • 3 comments
caroline wong's picture
0 0 Votes
Login to vote

Organizations now have more choices available than ever before when it comes to outsourcing information management and IT resources to third party vendors.  Cloud computing and everything-as-a-service is becoming more popular, and business units in an organization are choosing to conduct more projects with third parties.  In an environment where third party services are seemingly easy to use and quick to deploy, an organization’s liability and risk landscape can increase rapidly and with limited oversight. Governance of third party vendors, assessment of risk, and remediation of unacceptable risks is critical to protecting an organization’s reputation, business, and customers.  IT Security, Legal, and Finance all play an important role in identifying third party vendor projects involved in accessing and managing an organization’s sensitive data.  IT Security has a responsibility to assess the risk of third party vendor projects and to ensure that the highest risks are addressed. recently published a report on best practices for Vendor Risk Management, and here are some of the key findings: What are the business and security benefits of managing third party vendors?

  • Reduced data loss
  • Reduced audit deficiencies
  • Reduced internet security threats
  • Reduced liability
  • Reduced costs
  • Reduced business downtime

What are the attributes of the organizations who are strong at third party vendor management?

  • Understand the risks involved in third party vendor management of an organization’s sensitive information or IT resources
  • Proactively gather and assess critical information about third party vendors and their projects
  • Manage well defined – and automated – processes to manage new and existing third party vendors

What are the attributes of the organizations who are weak at third party vendor management?

  • Do not understand the risks involved in third party vendor management of an organization’s sensitive information or IT resources
  • Lack vendor management processes

You can download the full report at

Comments 3 CommentsJump to latest comment

AchardMA's picture

Thanks for sharing the report. What I found most interesting was the large number of organizations adding security requirements and standards to their vendor contracts and then never bothering to assess their vendors against those requirements. It made me wonder if the ongoing vendor management was not being done by IT but perhaps the purchasing or legal departments. What do you think?

Login to vote
caroline wong's picture

Thanks for your comment, Melanie.

This type of situation may be as a result of a broken process or a lack of process - what if folks in Procurement or Legal don't even know they're supposed to engage IT?

Defining the process and getting stakeholder buy-in to make it happen is critical to the success of any cross functional program, including vendor risk management.

My recommendation for organizations in this situation is to define and document the vendor risk management process, including who is required to perform each step and what is involved in the execution. Training and auditing can ensure that the process has been properly deployed.

Login to vote
SymInDefenseOfData's picture

Authored by: Ranjith

Enjoyed reading your blog, we have developed a framework called Global Supply Risk Monitor(GSRM) check out for more details...

Login to vote