Two Words – Massive Pain.
It has become clear that the information security industry has accepted vendor risk as a threat to be managed. CISOs, CEOs, even Board of Directors are taken on this challenge.

At the same time, everything is backwards. From the largest enterprises to the smallest SMBs, there is a lot of wasted time, money and effort happening in all corners of the universe when it relates to vendor risk management.
But Why? Let’s take a moment to reflect on how we got here.

For most very large companies and enterprises, they have been trying to understand the security controls of their vendors for years. Unfortunately, the number of vendors being used has increased meteorically and the complexity of threats that needs to be checked has increased just as much.

The result has not been better assessments of vendors but worse. We now have a system where enterprises undertake a decidedly average review of their vendors to ‘check the box’ rather than a diligent review that is going to uncover where the threats to their business lie. The real shame is that you potentially have hundreds, if not thousands, of average reviews of the same vendor.

This is why I started Teepee. My vision is that the resources used by different companies to review a vendor should be ‘pooled’ through a Managed Service to create one comprehensive, detailed report of a vendor’s security. This report can be used by enterprises to make decisions about purchasing that vendor’s product and it can also be used by vendors to upgrade their security.