Gloria Estefan has a song where she says “The rhythm is gonna get you”. In the world of vendor risk management, the lyrics could easily be changed to “The renewal is gonna get you”. If you’re in the world of vendor risk management, you probably instinctively know what this means very personally. 

Among the hundreds of conversations that I’ve had with Information Security professionals, many acknowledge that they perform a security review of a vendor upon intake (i.e. prior to purchasing a vendor’s product or service). At the same time, almost all acknowledge that they do not perform such a review on the renewal of a vendor’s contract or at another interval beyond the initial purchase. 

Why is it that assessing a vendor on an ongoing basis is so difficult? In the post, I’ll describe the reasons that I believe renewal assessments are so difficult for organizations.

 

Security assessments are hard…really hard

Let’s not overlook the main reason renewal assessments are not conducted. Security assessments are very difficult from a technical perspective. There needs to be a dialogue with the vendor, a person needs to review hundreds of data points that reside in questionnaire answers and security attestations and there needs to be a documented report of everything that was reviewed. This is far from an easy task and can take hours and hours of work.

 

You can always “fall back” on the intake assessment

In the never ending list of things that need to get done, a lot of people will fall back on the fact that they’ve completed an intake assessment of a vendor and they will keep delaying a renewal assessment. The intake assessment is a short term justification as to why they don’t do another assessment.

 

The number of renewal assessments is always increasing

Given the nature of customer – vendor relationships in this day and age, most vendors are used on an ongoing basis. As such, the net number of vendors that a company uses is for the most part increasing. Because of this, there is a corresponding increase in the number of vendors that need renewal assessments.

 

Vendors care a whole lot less after the sales process

This one is funny, ironic, sad and true. Vendors will jump through hoops to provide you what you need during the sales process. The business will also want a thumbs up from InfoSec on procuring their vendor. But all those good vibes and lightning quick response times melt away once the vendor is nice and settled within your business.

 

Lack of internal system/process to know when to conduct assessment

Many companies won’t have a system to alert the business owner, much less the Information Security team, of a vendor’s renewal date. While renewal date should not be the standard for when a renewal assessment is conducted, it is a good one that teams can, and do, fall back on.