Expanding Security Data Sources in Third-Party Risk Management
The purpose of a third-party security assessment is to validate and document that a given vendor meets your standards and requirements. You are also measuring the inherent risk levels of the vendor so you can understand the right resources to allocate toward monitoring and mitigation.
It’s important to start with these outcomes because the process-related challenges of third-party risk management (TPRM) can sometimes supersede the overall risk-management goals we’re trying to achieve. Many organizations struggle because the TPRM process is highly manual, they lack sufficient resources to assess at the frequency and depth that’s necessary, and they face increasing pressure and demand from across the business.
In summary: Vendor risk teams don’t have the information they need fast enough to truly assess and manage risk.
The “Single Track” Data Problem in TPRM
The most common approach to TPRM is the linear, questionnaire-based approach:
- Questionnaire is sent manually to vendor
- Vendor responds manually (eventually and often not completely)
- Manual follow-up for clarification and supporting documents
- Manual review of documentation and questionnaire responses
- Collate information to generate a risk summary
This is a single-track model because the security questionnaire is the sole data source for assessing your vendors. The problem with this process is not that it can’t be effective; it’s simply that it requires a massive amount of manual effort AND a great deal of complicity from a willing (and ultra-responsive) vendor in order to succeed.
Because it is so time and resource-consuming, many organizations simply choose to assess fewer vendors (93% of respondents in our 2024 TPRM Impact Report) and conduct less-detailed assessments (96%). And the manual burden on the vendors from the questionnaire-only approach means they often simply won’t respond to your detailed, customized request.
Supplementing the TPRM questionnaire with additional data sources
There are a variety of data sources that can expand the information you’re able to collect and analyze from your vendors so the lone questionnaire isn’t a chokepoint for decision-making data in the TPRM process. It’s important to understand these data sources, how they are collected, and the level of assurance provided by each.
- Third-party security ratings: Ratings agencies like RiskRecon automatically scan publicly available web assets to provide a vendor security score. This should be considered a general barometer for risk rather than in-depth continuous monitoring, since it leverages public security documentation that may not be at the depth you require for a full assessment.
Assurance Level: Weak
- Public and private trust centers: Most vendors will publish a subset of their security information through a publicly available trust center. Others will create private trust centers that include more sensitive information and may be customized to the needs of their common customer types. These may have controlled access through an NDA.
Assurance Level: Weak to moderate
- Independent Audits/Certifications: Many vendors will hire an outside firm to conduct a thorough security audit of their capabilities and controls. The findings are then captured in a detailed report, such as a SOC 2 or ISO 27001. Vendors are also usually willing to share these audit reports during the assessment process—even if they aren’t willing to manually respond to a custom questionnaire.
Assurance Level: Strong
- “Unstructured” data sources: If the majority of your vendor assessments are conducted by questionnaire, it’s likely that you have previously completed assessments saved in some Sharepoint folder or other repository. Completed questionnaires, security documentation, or other “unstructured” security data likely lives in different places across your ecosystem. While these sources are often disorganized or unsystematized, they should be a valuable resource for your TPRM team.
Assurance Level: Moderate to strong
- Customized or standardized questionnaires: Yes, you read right! Look, we’re not here to bash the questionnaire, because there’s lots of good reasons to utilize them as a data source. Standardized questionnaires can be the most straightforward way to ensure regulatory compliance, and they can also be a lighter lift on your vendors. And customized questionnaires are attuned to your specific security requirements and can be an excellent and expedient way to organize information for understaffed and overtaxed TPRM teams that may be responsible for hundreds of assessments every year.
Assurance Level: Strong
How to incorporate more data sources into the TPRM process
It’s one thing to identify a range of data sources to expand your knowledge during an assessment, but bringing all that information together into a usable form can be a huge challenge. When building a more data-rich TPRM process, here are the key foundational steps:
Create a system of record
Multiple data sources usually means multiple data repositories. Many companies still work from a combination of various softwares, shared drives, or even email and spreadsheets.
A single system of record is not just a repository for security data to centralize information; it’s also a hub of collaboration so that business units impacted by TPRM (Procurement, IT, InfoSec, Compliance, executive leadership, etc.) can communicate, share, and view reporting. This centralization makes it easier to access multiple data types quickly, and it also creates a foundation for any automation you may incorporate as your program evolves.
A purpose-built TPRM solution may be helpful, but there are a few things to consider when making a selection that’s right for you:
- Is it easy to use and integrate with existing workflows?
- Is it flexible enough to scale as my business grows or needs change?
- Do I have documented processes for utilization as part of procurement or vendor selection?
- What kind of reporting is possible through the platform?
- Are there opportunities to automate?
Understand your control sets
Control sets serve as a kind of filter system for risk. They allow you to understand what risk factors uniquely impact your business, what information is essential to evaluate vendor security posture, and what is your overall risk tolerance.
When it comes to utilizing more data sources during vendor risk management, control sets can help you understand the level of assurance that is necessary so you can target the right data for the right vendor. For example, if the only controls that matter for a specific vendor can be found in a publicly available trust center, that can rapidly expedite your standard process without cutting corners on risk.
Have a strong risk ranking methodology
Risk ranking works hand-in-hand with your control sets to assign a simple, consistent risk score to all your vendors so you can see at a glance which vendors are high or low risk. The risk criteria for your ranking system should incorporate things like the type and volume of data the vendor has access to, the number of systems they have access to, their criticality to your business, and their disaster recovery policy.
Disciplined risk ranking also helps you determine the right data sources for your assessment. High-risk vendors require high-assurance data sources (like a SOC 2 or fully completed questionnaire) and may need to be reassessed frequently; low-risk vendors may only require more cursory or infrequent assessments.
You can learn more about building a strong risk-ranking methodology here.
Evaluate resources and seek opportunities to automate
Time and resources are the greatest limiting factors in third-party risk management. Linear, single track TPRM might be a necessity if you have a small team that is responsible for assessing many vendors. Do you have the headcount, the time, and the right solution to expand your data access effectively?
Questionnaires alone aren’t really the answer to limited time and resources, because they actually make it harder to collect and synthesize information. In fact, questionnaire-based assessments devote most of the precious resources you do have to manual, administrative tasks: email, spreadsheet management, and follow up. When vendors send documentation like a SOC 2 instead of responding to your questionnaire, you end up having to find all the answers you need yourself, line-by-line in hundred-page reports.
Facing the option of so much manual work or simply accepting risk, many companies are just taking the risk. But that’s not a long-term solution as companies trend toward more vendors, and as vendor vulnerabilities lead to more breaches. Automating the assessment process is the only way to maximize resources AND assess all the vendors you want at the depth you need.
Advancements in AI make such automation possible. Building from your foundation of a single system of record and established TPRM workflows, AI makes it possible to query all the security data sources you collect, regardless of their form.
That means a SOC 2 can be quickly summarized according to your controls (instead of you reading every word). It also means that the questionnaire isn’t a chokepoint for security data anymore; AI-powered assessments are able to automatically incorporate information from the data sources you DO have and apply that information to your custom questionnaire.
You can even prompt AI using your custom questionnaire. The AI engine understands question intent, so it can identify answers to your specific questions and cite evidence from existing documentation. You can even maintain oversight and control access, so you remain the final checkpoint in the process.
Whistic’s Assessment Copilot is fully automated, AI-powered TPRM
Whistic’s suite of AI capability is designed specifically for resource-strapped TPRM teams looking to expand their access to security data; make better, faster decisions; and fully assess all the vendors they want in a fraction of the time—without adding headcount or cutting corners on risk.
Built around Whistic’s Knowledge Base as the system of record, Assessment Copilot draws on myriad data sources with the help of:
- SOC 2 Summarization: Builds customized summaries of lengthy audit reports based on your unique risk criteria, giving you the assurance you need without the manual steps. SOC 2 summaries are also information-rich and easily digestible for senior management, so it enriches your overall reporting.
- Vendor Summary: Allows you to input your specific controls and automatically check for compliance against a vendor’s documents or trust center.
- Smart Response: What if you could use any questionnaire you wanted for any vendor, and get detailed responses 100% of the time? With Smart Response, you can use your own questionnaire to query structured or unstructured vendor security data and return plain-text responses, a confidence score, and citations within the documents for reference. You maintain total control for accepting or rejecting an automated response, and every accepted response is added to your document repository to expedite future assessments.
The Whistic Platform is built on a foundation of AI that integrates seamlessly with your existing workflows to give you faster, easier access to a wide variety of security data. If you’d like to be getting more out of your TPRM program, we think Assessment Copilot can help. Let us prove it to you. Sign up for a quick, consultative walk-through today.