May 26, 2020
Medium Sized Businesses and Vendor Risk Management
In starting Teepee, one of the most common questions I get is: “What type of businesses will you be targeting?”
One of the primary reasons for starting Teepee was that as vendor risk was growing in importance, there was a group of businesses that overwhelmingly didn’t have resources or people to tackle this area of cybersecurity. They were especially hurt by a model in vendor risk that is outdated and overly cumbersome. This group are small and medium sized businesses with employee counts of between 50-500 people.
With less than 50 people, the need for vendor risk management exists but there are too many other pressing issues that will generally take precedence. With more than 500 people, companies will likely have some sort of process in place that they won’t have an overwhelming need to try a new approach to vendor risk management.
But for that sweet spot of small and medium sized businesses, there are a few reasons that will implore them to adopt a new model of vendor risk management.
1. Their customers are asking them about it. Every time a vendor is sent a security questionnaire, it most certainly will have questions about their vendor risk program. Many vendors might answer ambiguously or exaggerate what they have in place. Some might be truthful and admit they don’t have anything in place. No matter the response, customers will need to see a program in place. In many cases, their data is being passed to a 4th party vendor from their direct vendor.
2. There are specific regulations that call out vendor risk management. GDPR, CCPA, the SEC, FINRA, NYDFS, NERC and others all specifically call out the necessity of having a vendor risk program in place for the maintenance of good cybersecurity practices. Many of these businesses fall under the direct purview of these agencies or regulations. So, in effect, it is necessary for them to have vendor risk management in place.
3. These businesses want to have something in place to fulfill a framework that they are trying to follow. Whether it is NIST, ISO or other security frameworks, a business will need to have vendor risk management in place to meet the standards of these frameworks.
As of now, there is a vacuum of solutions for these businesses to have proper vendor risk management in place. Vendor risk management is either too costly or resource-intensive and does not produce great results. Teepee was created as a new solution that these businesses can put in place for quality and cost effective vendor risk management.