What is Vendor Tiering?

Vendor Tiering is a method of classifying vendors based on the level of security risk they introduce to an organization. The level of security criticality decreases with each subsequent level.

The number of tiering levels depends on personal preference. The basic vendor tiering structure is comprised of three levels - Tier 1, Tier 2, Tier 3, where Tier 1 represents high-risk vendors.

Each vendor could be assigned to a tier manually, or the process could be based on a security questionnaire scoring system. Both methodologies are discussed in this post.

The benefit of separating vendors into different tiers is that creates a more efficient vendor assessment workflow that considers the specific risk thresholds of all vendors. Applying the same level of risk assessment to each vendor is difficult to maintain, and in most cases, unnecessary.

Vendors storing publically accessible information, such as information on a website, pose less potential risk than vendors with access to sensitive business resources, such as internal communication solutions like Slack. It would make sense, therefore, to perform less in-depth and less frequent assessments for vendors in the former category.

This is the objective of vendor tiering - to streamline the vendor risk management process so that security teams are able to manage third-party risks more intelligently.

Learn about the top VRM solution options on the market >

Why is Vendor Tiering Important?

Vendor tiering is important because organizations struggle to manage a Third-Party Risk Management Program across an expanding vendor network.

Limited internal resources prevent new vendors from receiving the necessary security attention they require. As a result, procurement contacts remain weak and fail to filter out preventable inherent risks during digital transformation.

This unmonitored attack surface expansion further burdens security teams, making it even more difficult to manage risk assessments during onboarding.

Eventually, the necessity of scaling business processes overlaps with expended cybersecurity resources resulting in risk assessments being completely overlooked during onboarding.

With supply chain attacks on the rise and third-party breaches accounting for 60% of sensitive data breaches, management teams cannot continue to forsake vendor due diligence.

Rising trend of supply chain attacks 2019-2020

Vendor tiering helps security teams distribute their efforts more efficiently, helping them focus a majority of their efforts on critical vendors posing a higher risk to security postures, such as vendors at a high risk of a ransomware attack. Because this relieves the burden of responding to all security issues with equal vigor, more bandwidth is available for the secure onboarding of all new third-party vendors.

Service providers with a higher risk of being compromised in a cyberattack a grouped in a critical tier so that they can be optimized in remediation efforts.

The benefits of the vendor tiering process also extend to the existing vendor network. Because remediation efforts are proportional to risk exposure, more attention can be devoted to the vulnerabilities having the greatest impact on security posture, significantly reducing the chances of an organization suffering a data breach.

This highlights another major benefit of vendor tiering. By grouping vendors into different risk categories, vendor tiering support a more efficient and logical remediation sequence.

For more information about how to optimize a remediation workflow, refer to this whitepaper on Risk Remediation Planning.

How Does Vendor Tiering Improve Third-Party Risk Management (TPRM)?

Vendor tiering helps security teams adjust the level of risk assessments performed at each vendor tier, rather than applying the same effort across all vendors.

Some vendors with strict regulatory requirements, such as GDPR bound businesses and those in the healthcare industry, require stricter risk assessments than others. So it makes sense to adjust a vendor risk management program in favor of vendors with higher risk factors.

With vendor tiering, security teams could achieve a more manageable risk assessment workflow where each tier is assigned a specific set of assessments.

For example, an ISO 27001 questionnaire could be sent to only tier 1 vendors. This is a superior model to the conventional method of manually tracking the assessment requirements of each vendor - an effort that quickly becomes a logistical nightmare as the vendor network expands.

The dependency on digital transformation will only increase as businesses meet the growing expectations of innovative consumers, which will only increase the burden of Vendor Risk Management (VRM).

To prepare for this inevitable future, businesses need to transition to a more efficient vendor tiering assessment framework. This strategy also pushes cybersecurity programs closer to automated processes. This is the inevitable next phase of the TPRM development lifecycle given the significant data breach cost savings resulting from automation.

Learn the importance of including your VRM efforts in executive reports.

automation controls significantly reduce data breach costs

How to Tier Vendors

There are two primary strategies for categorizing vendors- manual tiering and questionnaire-based tiering.

Manual Tiering

Manual tiering is the more popular method because most organizations prefer greater control over the classification process.

The risk profile of each vendor differs across each business partner. Discrepancies depend upon unique levels of access to sensitive resources and personal experience.

Personal preference is a very important factor since some businesses are willing to accept a higher risk tolerance for popular vendors. For example, some businesses are happy to use the messaging service WhatsApp, while others are concerned with is user data-handing practices.

Manual tiering empowers businesses to classify vendors based on personal reputational assessments, without forcing them to accept an objective tiering standard.

The validation of manual tiering decisions can be confidently achieved with security ratings. Security ratings evaluate each vendor's security posture via a single dashboard based on multiple attack vectors.

This helps businesses track the security of their third-party ecosystem. These ratings naturally fluctuate over time and could even abruptly drop after a significant business transformation - like when a vendor acquires another business.

Advanced risk scoring functionality will keep stakeholders informed of such sudden exposure spikes through instant notifications.

A poor risk rating could influence a decision to manually drop a vendor down to a lower risk tier.

To support intelligent manual tiering, a security solution should include a regularly updated cybersecurity news feed to keep users informed of any events that could impact their vendors.

UpGuard's Incidents and Newsfeed
UpGuard's Incidents and Newsfeed keeps users informed of any trends and events that could impact the security posture of their vendors.

Questionnaire-Based Tiering

Questionnaire-based tiering is a more complicated process where vendors are automatically categorized based on the efficacy of their security control strategy as indicated through vendor risk assessments.

An algorithm assigns each vendor to a tier based on their responses to security questionnaires and assessment templates. The benefit of this process is that it's completely automated which resolves the logistical difficulties of managing a comprehensive vendor network.

To maximize its benefit to business continuity, this tiering process should still be open to manual modifications. Stakeholders may disagree with an assessment process and challenge a risk classification. In these instances, each overridden tier decision should be supported with a reason for the manual classification.

Vendor Tiering By UpGuard

UpGuard is recognized by Gartner as one of the leaders in Vendor Risk Management (VRM). In addition to manual vendor tiering, UpGuard has released an automation feature for vendor classification according to custom rules and logic you define. The automation logic applies tiers, labels, portfolios, and custom attributes to your vendors based on answers from the vendor relationship questionnaire. For more information on the automation workflow, see our blog Scale Your Vendor Risk Management Program with Automation.

The entire vendor tiering arrangement can be manually manipulated, giving each business greater control over their vendor categorization process. Businesses can create as many tiers as needed and assign each a unique name.

vendor tiering by upguard
UpGuard users can set the number of tiers they require and assign custom names to each of them

A vendor's security risk weighting can then be represented through a risk matrix in a cybersecurity report generated from the UpGuard platform, allowing stakeholders to instantly understand the degree of risk associated with each vendor.

risk matrix feature upguard

To further optimize third-party risk management, the security posture of each tier can be assessed with UpGuard's Custom Questionnaires Builder.

Businesses with comprehensive vendor networks have the option of outsourcing their Third-Party Risk Management program to cybersecurity experts. By combining this service with UpGuard's Vendor Tiering feature, scaling businesses will establish a dependable foundation for the highly complicated vendor attack surface of the future.

Ready to see
UpGuard in action?