Written by: Jason McLarney

You wake up one morning to a news alert: A new Zero-Day vulnerability is emerging, and it’s already being exploited in the wild. You race into the office and sit down at your computer to…write and send generic emails to each of your 1,000 vendors. “Have you been breached? If so, to what extent? Is our data exposed? What’s your plan to respond to it?” 

Radio silence. At best, you get a trickle of responses, but most of your emails go unanswered because your vendors are busy figuring out what happened and how to mitigate fallout. 

Organizations must immediately kick into high gear to mitigate damages or business disruptions when a Zero-Day event or other time-sensitive third-party threat occurs. A key step in this process is contacting vendors to communicate risk intelligence and ensure they take remedial action.

However, this process is easier said than done — especially when vendors are getting inundated by hundreds of frantic and panicked customers.

Most organizations make the mistake of sending vague “hunches” that a vendor is impacted by an incident, followed by a generic security questionnaire. In other words, they’re sharing no new information. In fact, it can come off as hostile policing. This is, obviously, not very motivating for a vendor and typically results in low, delayed, or nonexistent responses. This means risk is not being reduced, either for you or the vendor. 

We built the Black Kite Bridge™ with exactly these challenges in mind. It offers the first end-to-end vulnerability response tool for: 

• risk identification and scoping
• intelligence sharing
• vendor communications
• real-time reporting

Third-party risk management (TPRM) teams can now share trusted, vetted Black Kite intelligence directly with their vendors. This information is far more specific and actionable, leading to proven vendor engagement. 

4 Ways Black Kite Revolutionizes Vendor Collaboration

Since its inception, Black Kite has been focused on providing the most accurate, transparent, and timely risk intelligence on the market, empowering customers to take control of their third-party risk.

As a result, customers organically started sharing that intelligence and asking for more ways to give their vendorstm access to it to improve their own cyber risk postures. We heard their feedback, so we built the Black Kite Bridge™ to enable TPRM professionals to:

1. Confidently Narrow the Scope of the Outreach

One of the most significant challenges in responding to an emerging Zero-Day event is knowing which vendors are impacted and what type of data to share with them. 

Instead of casting the net wide and contacting vendors that may or may not pose a risk to your company, customers can leverage Black Kite to:

1. Identify those vendors that have a material impact on your business.
2. Narrow the scope of outreach into a manageable list based on known exposures or susceptibility to attacks.

We arm you with insights, such as:

• Tags highlighting known impacted vendors in your cyber ecosystem through FocusTags™, to give you confidence in your actual exposures.
• Real-time risk quantification for all vendors, enabling you to make decisions based on potential financial impact if a threat were to impact a particular vendor.
• Actionable, asset-level evidence and recommended remediation steps rooted in a common language, like MITRE and NIST. Rather than asking generic questions, we provide you with targeted evidence to share, so a vendor can take immediate and appropriate action.

When you can share this information directly with a vendor through the Black Kite Bridge™, it gives you both a clear way forward. Instead of saying, “We think you were affected by X event — tell us if you were and what you’re doing to remediate it,” you can approach the vendor with clear evidence of what happened and hard recommendations to fix it. 

2. Communicate and Remediate in a Central Location

Vendor communications about risk and the risk intelligence itself should live in the same location. 

Why? Organizations already struggle with the sheer volume of vendors they rely on. If they need to communicate with all of them through one-off channels like email and without embedded context, this can easily become too complex and error-prone to scale. 

Today, the relevant intelligence often lives in a separate tool from vendor communications (e.g., a GRC or VRM tool). Or worse yet, it lives in long email threads and offline spreadsheets. When TPRM is handled manually like this, progress becomes impossible to track, details slip through the cracks, and, ultimately, risk is not reduced.

A better way:

• Black Kite Bridge™ centralizes intelligence sharing and vendor communications in one location. 
• Now vendors can access and view the same findings our customers see through a self-serve portal. 
• As the vendor remediates issues, their risk ratings change in real time (versus the weeks it typically takes for traditional SRS solutions to update). 
• This gives the vendor confidence they are doing the right things. 
• The process becomes far smoother, and the vendor relationship becomes far more frictionless.

3. Report in Real Time

Since communications and intelligence live in one tool, reporting becomes a breeze. Your CISO wants a status update on that Zero-Day event? No problem.

With out-of-the-box reporting, you can immediately measure an incident’s initial exposure, vendor response rates, remediation progress, mean time to remediate (MTTR), and more across all vendors. Say goodbye to time-consuming, manual tracking in spreadsheets.

4. Achieve Higher Vendor Engagement & Partnership

The Black Kite Bridge™ lets customers share unprecedented, ungated access to the intelligence they trust and rely on with their third-party vendors. Our customers have seen huge improvements in response rates and better relationships as a result of the benefits their vendors receive:

1. Timely access to incident details, prioritized list of findings, and remediation steps.
2. Real-time updates to ratings for closing out risks.
3. Visibility into responses, which means less private messages, questionnaires, or emails to track, and more time back in your day (and your vendors’).

Bridge the Communication Gap with Black Kite

For large organizations with hundreds or thousands of suppliers, scaling vendor engagement processes and TPRM can feel impossible. With the Black Kite Bridge™, responding to emerging cyber incidents becomes a breeze. Learn more about the challenges and opportunities of vendor outreach in our latest ebook, Chaos to Collaboration: Transforming Third-Party Risk Response for Zero-Day Events. And learn more about Black Kite with a personalized demo.

The post How to Solve Vendor Outreach During Security Crisis Events appeared first on Black Kite.

Written by: Jason McLarney

Gone are the days of working with a handful of long-time, trusted vendors. Today, 60% of enterprises work with up to 1,000 vendors at a time, with 71% reporting that their third-party network has exponentially increased in just three years. That means more risk to evaluate and therefore more vendor assessments to parse through. 

The sheer volume of vendors in play and the length of traditional vendor risk assessments (often hundreds of questions) can make scaling this process feel impossible. 

Fortunately, with the right third-party risk tools and strategic vendor risk assessment processes, scaling is very achievable.

4 Steps to Help Organize Vendor Risk Assessments

Here are four practical steps organizations can take to get the data they need to make confident third-party risk decisions — quickly, efficiently, and accurately.

1. Prioritize

Traditionally, many organizations have evaluated all new vendors with the same level of scrutiny. Here’s the issue with this: Not all third-party relationships are the same. 

A third-party partner with no access to critical data (such as a catering provider) should not receive the same vendor risk assessment as one with extensive access to critical data (such as a payment processor). Due to the nature of the relationship — and what’s being shared — these two vendors pose a very different level of risk. This is a good thing because it means you don’t have to be equally thorough and meticulous with every vendor.

A Strategic Approach to Vendor Risk Assessments

Prioritize and tier vendors based on the unique risk they each pose to business-critical operations, environments, and data. Third-party risk pros can start by asking the following questions about their network of vendors:

• Does this vendor have access to sensitive datasets or internal networks? If so, which ones? What level of access?
• If this vendor experienced a breach, what material impact would it have on our business operations?
• Is a vendor assessment required by a regulatory body? (e.g., your payment processor must be PCI-DSS certified)
• What is the potential financial (and reputational) impact of a third-party breach through this vendor?

Based on those answers, organizations can start more effectively tiering their vendors into the following categories:

• Tier 1: Mission Critical
• Tier 2: High Risk
• Tier 3: Moderate Risk
• Tier 4: Low Risk

Think of it this way: If you were a 911 operator who answered two calls, one about a fender-bender and one about a 10-car pileup around the same time, you’d know where to send more resources.

Risk-based tiers are the basis that should dictate all engagement with that vendor — the risk thresholds you’re comfortable with, the compliance levels you require, how often you reassess them, and the level of communication you have with them. With vendors ranked in these risk-based tiers, teams can prioritize their efforts around the third-party partners most critical to their business — and the ones that raise the most red flags regarding potential impact.

That level of prioritization is exactly how organizations can go from treating 10,000 vendors exactly the same (and burning out the team, no matter how large) to using a streamlined team to focus on the riskiest vendors — without incurring unnecessary risk or feeling spread thin.

2. Get Data You Can Trust

In a market where scaling fast is the goal, risk professionals are starting to recognize they need to move away from solely relying on questionnaires. That’s because general questionnaires, which can sometimes have over 300 questions, often result in general (read: unhelpful) responses.

Effective communication with vendors relies instead on obtaining — and sharing — the right data, and only when necessary. Organizations need a source of intelligence they can trust to make better risk decisions, including whether they need to engage the vendor in the first place. For example, if a vendor meets all of your security and compliance requirements and is tiered as a “Moderate Risk” vendor, do you really need to issue them a questionnaire? It depends on your risk appetite, but likely not.

Organizations need a transparent, standards-based cyber ratings platform where they can see for themselves how findings and scores are assembled. That gives teams the reliable, concrete data they need to have meaningful conversations with vendors and collaborate effectively to remediate risk.

Security teams should also consider investing in a third-party risk management (TPRM) tool that provides:

• Reports on how to improve risk scores, step-by-step
• Identification of specific assets believed to be most at risk
• A space for transparent, two-way vendor communication

3. Save Time (and Money) With Automation

Baking in automation is the only way to scale your vendor risk assessment process. Manually sifting through questionnaires is not the solution; it only exhausts resource-constrained risk teams and introduces human error. 

Manual vendor risk assessments can take anywhere from two to eight weeks on average. For any other project, that timeframe might be acceptable. But digital threats evolve much faster than that. Within a few weeks, the risk landscape (either yours as an organization or the market’s at large) can undergo a seismic shift that rapidly changes priorities. Whether due to a geopolitical upheaval or a new business expansion strategy, risk doesn’t remain constant. 

With the right third-party risk automation tools, teams can reduce assessment cycles from weeks to hours. AI-driven engines can parse complex vendor documents (SOC2 reports, compliance policies, questionnaire responses, and more) and measure compliance with industry-wide frameworks such as NIST 800-53 R5, ISO27001, and more, giving you an immediate view into their risk.

That unlocks the ultimate key to scaling: Finding automated tools your teams can trust to work in the background while they handle more complex risk strategies.

4. Build Relationships with Critical Vendors

Regarding third-party risk, it can be easy for organizations to fall into the trap of only communicating with vendors during procurement and onboarding… and then only if and when an incident occurs. That’s not due to any personal failure but because it can be nearly impossible to effectively communicate with hundreds or thousands of vendors regularly.

With effective prioritization, risk teams can collaborate with vendors rather than having a reactive (and often unnecessarily tense) relationship. They can also minimize the total amount of vendor assessments they need to send — and shorten and focus the ones they do send — all the while better mitigating actual risk.

Double down on the vendors that matter most to your organization’s security, financial health, and business-critical processes. Check in with them on risk and security developments — and identify any shared risks or weaknesses that you might have with each other.

Move Away From the Unscalable

Effective scaling starts with moving away from one-size-fits-all, time-consuming, and manual methods and instead towards:

1. Upfront risk-based tiering and prioritization of vendors based on their materiality to business operations.
2. Relying on a trusted data set to inform prioritization and dictate when to engage.
3. Automation to reduce or eliminate manual questionnaire reviews and unnecessary vendor engagements.
4. Stronger vendor relationships based on clear, actionable improvement steps. 

These pillars make scaling possible and achievable, expanding your team’s reach and allowing you to double down on the value-adding tasks and relationships that matter most. However, all of these vendor risk mitigation strategies rely on one key factor: trustworthy, timely risk data. When organizations have data they can trust, they can prioritize, dial in their risk thresholds, and build out the third-party risk management structure they need to move ahead with confidence.

Scaling vendor risk assessments doesn’t have to feel impossible. With the right tools and processes, organizations can unlock efficiencies, strengthen their vendor relationships, and improve their overall risk posture. Black Kite Bridge™ makes collaboration easier by providing the trusted data and communication capabilities needed to drive faster, more meaningful vendor engagements.

If you’re ready to transform your approach to vendor engagement, don’t miss our eBook, Chaos to Collaboration: Transforming Third-Party Risk Response for Zero-Day Events. It’s packed with actionable insights to help you work more effectively with vendors during critical events — no download required. 

The post Vendor Risk Assessments: Why Scaling Feels Impossible (and What To Do About It) appeared first on Black Kite.