Third-party vendors are essential to businesses big and small, national and global. Outsourcing is big. Offshoring is big. You can’t just move or outsource part of your business halfway across the world or even across the street and have no way of ensuring that it is being well run.

You put your hard-earned money in the bank for someone else to keep safe for you until you need it. You trust the bank but you would surely want to confirm that it’s all there.

You check your balance daily and look at transactions frequently to decipher if there are any illegitimate transactions. The bottom line, as President Ronald Reagan said: trust but verify.  It stands to reason that you should approach your business in the same way?

There are many ways to confirm that proper due diligence is conducted when onboarding a vendor and the subsequent monitoring. But many challenges are on the road to a establishing a secure and mature third-party program.

Following are 10 challenges you might face:

1.  Getting the right vendor documents

Onboarding a new vendor and performing ongoing monitoring of an existing vendor requires collecting certain documents and completed questionnaires from the vendor.


  • Most vendors take their sweet time to submit the requested documents, especially during ongoing monitoring. When onboarding, they could be pretty cooperative to some extent – wonder why!
  • Some documents submitted may not be exactly within the scope and service.
  • Some documents could be altogether not what was requested.

What you can do

  • Specify clearly what you need. Any ambiguity will lead to confusion and delays.
  • Set roles, responsibilities and deadlines with the vendor and their relationship manager.
  • Actively follow up on deadlines.
  • Don’t be bashful to escalate to the vendor’s business and relationship management.
  • Let the vendor and in-house vendor relationship manager crosscheck what was requested against what was submitted – in terms of scope, service, and date of document, etc. This ensures that by the time it gets to you, some quality checking would have been done.

2.  Contract provisions that protect

Contract provisions are the means to the end in order to protect your business, your company, and its reputation from any negative impact a vendor could have on your organization and its future.


  • Including the right security provisions in the contract.
  • Information security and risk management do not work hand in hand with legal, sourcing, and other groups (for example, business continuity management, privacy, and compliance).
  • Legal does not have templates to work with based on the vendor scope and its service.
  • Contract negotiations do not include subject matter experts.

What you can do

  • Create a list of standard contract provisions that should be included in contracts. Categorize the list based on the scope, service and potential use cases. Work with the legal department to create templates to drive the contract process.
  • Work with all potentially impacted groups in the contract process to make certain all bases are covered.
  • Be integral part of the contract negotiation process – especially with critical and high-risk vendors.

3.  Risk appetite, risk ranking, risk remediation

An organization’s risk appetite is what drives how to rank vendor issues and how to look at vendor remediation and compensating controls.


  • Though risk management is not a new discipline it may be very new to many information security professionals.
  • Defining the organization’s risk appetite so as not to leave it open for interpretation.
  • Baseline requirements or key controls also may not be defined.
  • The vendor remediation process may not be a properly defined.

What you can do

  • Solidify your information security risk management program and ensure corporate buy in.
  • Once the organization’s risk appetite is determined, determine and document the risk acceptance process.
  • Determine minimum-security requirements and key controls.
  • Include inherent risk and residual risk as part of the daily language.
  • Vendor remediation can be easily overlooked so put this task on steroids.
  • Identify who is response and the process to provide continuous assessments.

4.  Staff

The importance of vendor assessments is at an all time high now – across all kinds of businesses, including regulated environments. This necessitates adequate staffing to guarantee that the correct level of focus is provided to manage a vendor management program and the changing threat landscape.


  • Good vendor assessors in an information security world are a hard-to-find commodity.

What you can do

  • Be prepared to make it a financially lucrative position and create a stable in-house environment to keep staff challenged and content. Pay attention to the employee and their welfare.

5.  Fourth-party vendors and beyond

Everyone has a third-party vendor these days. It’s the way to do business or so it seems. And that third-party vendor could be anywhere in the world.


  • We engage third-party vendors but rarely know what vendors they are using downstream who may have access to your data day in and day out.
  • No significant due diligence is being done against these fourth parties and beyond.

What you can do

  • This needs to be addressed during the contract and onboarding phase.  Ensure you know the downstream vendors and if and when they change. Regulations are quickly changing and are putting increasing emphasis on this recognition and its due diligence. So keep on top of it.

If you can implement just a few of the above suggestions you already are on the way towards a mature third-party vendor program. Perhaps the auditors and regulators will give you a pass seeing you have an action plan. Think small. Scale big!



Leave a Reply