Vendor tiering is the process of categorizing third-party vendors by the level of security risk they introduce to an ecosystem.
Such a strategy is a logical addition to a Vendor Risk Management (VRM) program because risk profiles differ between each vendor.
For example, a garden service provider with a static website poses less of a security risk than an IT support service with access to sensitive internal resources.
Vendor Tiering Strategy
There are two primary vendor tiering mechanisms:
- Questionnaire-based tiering
- Manual Tiering
With questionnaire tiering, vendors are programmatically assigned to a criticality tier based on security questionnaire responses. Though this mechanism minimizes manual processing, it isn’t the preferred methodology for most businesses because risk appetites differ across each organization.
Some businesses are willing to absorb a higher security risk to partner with popular solutions (such as Whatsapp) than others. So it makes sense to empower security teams to design their own unique tiering conditions.
This is why the second tiering mechanism is the more popular choice. Manual tiering allows each organization to tier its vendors in a way that aligns with their unique security objectives - whether categorization is based on regulatory requirements, level of access to sensitive data, or personal intuition.
The Benefits of Vendor Tiering
Vendor tiering compresses vendor networks into manageable groups, with the most critical vendors grouped in the top tier, and less critical vendors in subsequent tiers. This allows security teams to instantly recognize vendors requiring a higher degree of attention and those only requiring monitoring controls.
The benefits are twofold.
Firstly, each tier could correspond to the regulatory requirements of all third-party vendors assigned to it. This would prevent security teams from overlooking their vendor risk assessment obligations, while also streamlining the risk assessment management process.
Instead of manually tracking each individual vendor’s regulatory requirements, assessments could be sent to all vendors in a single tier.
The second benefit is that vendor tiering promotes a more efficient distribution of security efforts. Rather than managing each vendor with the same security vigor, vendor tiering skews response efforts towards partners with the highest potential negative impact on security posture.
By allocating the majority of security efforts towards the most critical vulnerabilities, organizations are capable of maintaining resilient security postures even amongst a multiplying threat landscape.
