What is Vendor Tiering?
Vendor tiering is a method of classifying vendors based on the level of security risk they introduce to an organization. The level of security criticality decreases with each subsequent level.
The number of tiering levels depends on personal preference. The basic vendor tiering structure consists of three levels - Tier 1, Tier 2, Tier 3, where Tier 1 represents high-risk vendors.
Each vendor could be assigned to a tier manually, or the process could be based on a security questionnaire scoring system. Both methodologies are discussed in this post.
The benefit of separating vendors into different tiers is that it creates a more efficient risk assessments workflow. Applying the same level of risk assessment to each vendor is difficult to maintain, and in most cases, unnecessary.
Vendors storing publically accessible information, such as information on a website, pose less potential risk than vendors with access to sensitive business resources, such as internal communication solutions like Slack. It would make sense, therefore, to perform less in-depth and less frequent assessments for vendors in the former category.
This is the objective of vendor tiering - to streamline the vendor risk management process so that security teams are able to manage third-party risks more intelligently.
Why is Vendor Tiering Important?
Vendor tiering is important because organizations struggle to manage a Third-Party Risk Management Program across an expanding vendor network.
Limited internal resources prevent new vendors from receiving the necessary security attention they require, which introduces preventable inherent risks during digital transformation.
This unmonitored attack surface expansion further burdens security teams, making it even more difficult to manage risk assessments during onboarding.
Eventually, the necessity of scaling business processes overlaps with expended cybersecurity resources resulting in risk assessments being completely overlooked during onboarding.
With supply chain attacks on the rise and third-party breaches accounting for 60% of data breaches, organizations cannot continue to forsake vendor due diligence.
Vendor tiering helps security teams distribute their efforts more efficiently across the entire threat landscape to ensure secure onboarding for all new third-party vendors.
The benefits of the vendor tiering process also extend to the existing vendor network. Because remediation efforts are proportional to risk exposure, more attention can be devoted to the vulnerabilities having the greatest impact on security posture, significantly reducing the chances of an organization suffering a data breach.
This highlights another major benefit of vendor tiering. By grouping vendors into different risk categories, vendor tiering supports a more efficient and logical remediation sequence.
How Does Vendor Tiering Improve Third-Party Risk Management (TPRM)?
Vendor tiering helps security teams adjust the level of risk assessments performed at each vendor tier, rather than applying the same effort across all vendors.
Some vendors with strict regulatory requirements, such as GDPR bound businesses and those in the healthcare industry, require stricter risk assessments than others. So it makes sense to adjust a vendor risk management program in favor of this high-risk group.
With vendor tiering, security teams could achieve a more manageable risk assessment workflow where each tier is assigned a specific set of assessments.
For example, an ISO 27001 questionnaire could be sent to only tier 1 vendors. This is a superior model to the conventional method of manually tracking the assessment requirements of each vendor - an effort that quickly becomes a logistical nightmare as the vendor network expands.
The intensity of digital transformation will only increase as businesses meet the growing expectations of innovative consumers, which will furtherincrease the burden of Vendor Risk Management (VRM).
To prepare for this inevitable future, businesses need to transition to the more efficient vendor tiering framework. Failure to do so will cause TPRM's to crumble beneath the weight of a more daunting third-party attack surface.
How to Tier Vendors
There are two primary strategies for categorizing vendors - manual tiering and questionnaire-based tiering.
Manual tiering is the more popular method because most organizations prefer greater control over the classification process.
The risk profile of each vendor differs across each business partner. Discrepancies depend upon unique levels of access to sensitive resources and personal experience.
Personal preference is a very important factor since some businesses are willing to accept a higher risk tolerance for popular vendors. For example, some businesses are happy to use the messaging service WhatsApp, while others are concerned with its user data-handling practices.
Manual tiering empowers businesses to classify vendors based on personal reputational assessments, without forcing them to accept an objective tiering standard.
Security ratings can be used to support manual tiering decisions. Security ratings evaluate each vendor's security posture based on multiple attack vectors to help businesses track the security of their third-party ecosystem. These ratings naturally fluctuate over time and could even abruptly drop after a significant business transformation - like when a vendor acquires another business.
A poor risk rating could influence a decision to manually drop a vendor down to a lower risk tier.
To support intelligent manual tiering, a security solution should include a regularly updated cybersecurity news feed to keep users informed of any events that could impact their vendors.
Questionnaire-based tiering is a more complicated process where vendors are automatically categorized through vendor risk assessments.
An algorithm assigns each vendor to a tier based on their responses to security questionnaires and assessment templates. The benefit of this process is that it's completely automated which resolves the logistical difficulties of managing a comprehensive vendor network.
To maximize its benefit to business continuity, this tiering process should still be open to manual modifications. Stakeholders may disagree with an assessment process and challenge a risk classification. In these instances, each overridden tier decision should be supported with a reason for the manual classification.
Vendor Tiering By UpGuard
UpGuard includes a vendor tiering feature to help users manage their vendor security more efficiently.
The entire vendor tiering arrangement can be manually manipulated, giving each business greater control over their vendor categorization process. Businesses can create as many tiers as needed and assign each a unique name.
To further optimize third-party risk management, the security posture of each tier can be assessed with UpGuard's Custom Questionnaires Builder.
Businesses with comprehensive vendor networks have the option of outsourcing their Third-Party Risk Management program to cybersecurity experts. By combining this service with UpGuard's Vendor Tiering feature, scaling businesses will establish a dependable foundation for the highly complicated vendor attack surface of the future.