April 23, 2020
Why Is Vendor Risk Management So Hard
As I’ve mentioned in my other blog posts, the entire model is broken.
Currently, a team of one person or sometimes two or three have to identify between 300-1,000 vendors that they need to review.
Just tracking down the right person and making sure that these vendors are providing the necessary data to perform a review is a headache.
But what’s far more painful than a headache is an ulcer. That would be the actual review of security data from these vendors. The data is complex, technical and vast. To be able to sift through the data and write a report is a monumental task.
What ends up happening is that reviews become cursory. Not enough vendors are reviewed and the ones that are reviewed, only get the lowest amount of due diligence necessary.
The current method to perform vendor assessments has 10 companies conduct a mediocre review of one vendor vs. one comprehensive review done of the vendor that is shared among 10 companies.
We started Teepee to try and change this model. We want one outstanding review for a vendor that can then be shared among many customers. This will both drive up effectiveness and drive down cost.