The Bedel Security Blog

Key to Successful Vendor Management Program: Walk Before You Run

Written by Chris Bedel | Aug 24, 2016

[caption id="attachment_683" align="alignnone" width="1344"]

I have some colleagues who disagree with this approach, but I’ve seen far too many of my clients attempting to implement some complicated, fully matured, vendor management program that they found in a template or purchased somewhere, only to find that is just too difficult to get their arms around.

It probably came from a bank that implemented it several years ago, and has gone through many cycles with tweaks and improvements along the way.  You can't package that up, drop it in an organization and expect it to take root; rather, a successful vendor management program is something you mature into, it’s something that you learn and develop over time.  You need to start with the basics and build up from there.  Yes, you need to address risk, but a 72 point checklist matrix for every vendor is not the way to start.

If you've read my blog posts, you may know by now that I take an essentialist, maturity model approach to information security, meaning you can't roll out of bed one day and expect to have it all fall in your lap.  It takes time, it takes practice, and it takes commitment to a continuous improvement mindset.

So how do you start?

  1. Take a risk based approach
  2. Categorize vendors into 4 tiers: Critical, High, Modeate, and Low
  3. Only perform your highest due diligence on critical and high vendors
  4. Implement what is do-able at first with goals of continuous improvement
  5. As your comfort level grows, adjust your program to expand what is being reviewed for each tier

Complex systems and processes often lead to inaction and avoidance.  But ACTION is the only way you’ll get better at anything.  If you make your vendor management program something that you can actually accomplish and something you understand, you’ll be more likely to work in it and on it.

Doing so will create a useful tool to help mitigate risks, which is the ultimate goal anyway, not a bunch of fancy matrices and checklists.