Third Party Risk Management - Consultancy, Assessment & Advisory

Vendor Onboarding 101: Balancing Security and Speed

Vendor Onboarding DVV Solutions Bitsight Cyber RiskIn today’s ever-evolving, competitive business climate, organisations are partnering with more and more vendors to ensure they’re as agile, flexible, and efficient as possible. Now, at a time when as much as 75% of the workforce is shifting to remote work in some industries, this is more true than ever — with organisations seeking to rapidly acquire new software and technology to help accommodate new business requirements.

While these partnerships can empower your business to go to market faster and beat the competition, bringing in new vendors often requires a vigorous and extensive onboarding process — a seemingly overwhelming feat when, according to Gartner, 60% of organisations are now working with more than 1,000 third parties.

As a security leader, you’re often stuck between a rock and a hard place when it comes time to evaluate potential third parties. While you must ensure that each prospective vendor maintains an acceptable security posture (and thereby won’t introduce unwanted risk into your ecosystem), you’ll often feel pressure from above to onboard new vendors quickly — as leadership will want to maximize the value from third parties immediately. Here are three key strategies you can adopt today to onboard new vendors as securely and quickly as possible.


1. Prioritise your vendor analysis

Before you begin the evaluation and onboarding process, it’s important to remind yourself of one simple truth: No two vendors are the same. Each third-party presents different risk levels, and therefore merits different treatment. For instance, a payroll provider working with sensitive employee and company information requires a much higher level of scrutiny than a non-critical vendor with limited access to your network. If you take a one-size-fits-all approach to onboarding — providing each prospective vendor with the same boilerplate questionnaires — your assessments will not be as customised, effective, or streamlined as they need to be.

Instead of evaluating every third-party in the same manner, group and prioritise vendors based on their criticality to your business or the type of data they will be handling. And get the most out of your valuable time by allocating resources to areas that require greater due diligence.


2. Define thresholds for acceptable levels of risk

Of course, in order to conduct a valuable security evaluation, you must first define what your organisation considers to be an acceptable level of risk. Once you’ve determined this threshold, you should work alongside your legal and financial teams to develop policies to enforce assessment requirements — and make sure each potential vendor is evaluated accordingly.

Make sure to establish criteria for both the total risk posed by the third-party and any threats stemming from individual factors of their security posture, such as unpatched systems, legacy and unsupported technologies, or a history of malware infections.


3. Develop contract language that makes thresholds and remediation enforceable

After you’ve defined what your organisation considers to be an acceptable risk threshold, it’s critical that you create contract language that requires your third parties to maintain this desired security posture over time. Specifically, your contracts should stipulate that vendors must:

In order to ensure that a vendor is conducting the necessary due diligence outlined above, you must establish a common set of standards that are clear and easy to understand. External data sources, such as security ratings, are ideal for this purpose.

Similar to a credit score, security ratings attribute a numerical value to a third-party’s security posture — with a higher number indicating a more secure environment. You can use these ratings to pre-screen vendors during the evaluation phase, optimise your risk assessment strategies, and ensure your vendors remain secure throughout your relationship.


Streamline onboarding to empower your business

If your organisation partners with a large number of third parties, it can become increasingly difficult to choose and evaluate potential vendors effectively. You may feel pressure from above to make decisions quickly, but rushing through assessments often leads to errors — which can open your organisation up to unwanted cyber risk.

Given this scenario, it’s more important than ever that you optimise your onboarding resources.

With an adaptive approach that takes each prospective vendor’s relationship and security posture into account when determining the appropriate level of assessment, you can save time, reduce costs, and scale with ease.

Learn more about how to streamline your vendor onboarding processes and ongoing risk assessments

Call Us+44 (0) 161 476 8700

Contact Us: Complete our Contact Form, or

Learn more about What We Do



This article was originally published by BitSight and is shared with their kind permission.


About BitSight

Founded in 2011, BitSight transforms how organisations manage cyber risk with trusted, time-tested and actionable security ratings. The BitSight Security Ratings Platform collects vast amounts of data on security issues and applies a sophisticated algorithm to create daily security ratings that range from 250 to 900, in order to help manage their own security performance; mitigate third party risk; underwrite cyber insurance policies; conduct M&A due diligence and assess aggregate risk.

With over 1,700 global customers, including seven of the top 10 cyber insurers, 25% of Fortune 500 companies, and 3 of the top 5 investment banks, and the largest ecosystem of users and information, BitSight is the most widely used Security Ratings Service.

For more information, visit or follow @BitSight on Twitter.