We’ve all been there - as a vendor trying to fill out a customer’s extensive risk questionnaire, or as a customer sending out a generic 100-page assessment to all partners. There has to be a better way.
The Problem with Questionnaires
Questionnaires have become the norm for initiating 3rd party cyber risk management, but they are problematic:
- Burdensome for vendors - They require extensive time and effort to complete accurately. This hurts productivity.
- Low signal, high noise for customers - Most provide a false sense of security without offering meaningful risk insights.
- Compliance, not risk-focused - They often derive from standards rather than analyzing unique vendor environments and impacts.
- Transactional, not relational - They start partnerships off with a compliance exercise rather than collaboration.
- Point-in-time - They offer just a snapshot versus continuous visibility.
For all these reasons, questionnaires do little to foster strong business relationships or truly understand and manage cyber risks.
Building Real Relationships
The most valuable way to manage 3rd party cyber risk is to build authentic relationships with vendors focused specifically on risk. This involves:
- Evaluating risk impacts - Analyze the actual potential cyber risk impacts associated with the vendor based on connectivity, data access, and business criticality.
- Right-sizing assessments - Tailor control analysis to the identified risks rather than making every partner fill out the same giant questionnaire.
- Initiating partnerships - Bring vendors into risk conversations from the start to set expectations and align on priorities.
- Maintaining open dialogue - Continuously communicate about evolving threats, controls, vulnerabilities, and incidents that may impact the business relationship.
- Enabling transparency - Provide access to security teams and dashboards that offer visibility into relevant security metrics and audit results rather than hiding behind yearly surveys.
Technology plays an important role in enabling transparency through continuous automated monitoring. But relationships ultimately come down to people investing the time to understand each other, communicate openly, and collaborate on reducing shared risk.
Just as you would develop any other strong partnership, that deep engagement focused specifically on risk creates trust and resilience that check-the-box assessments simply cannot provide. The next time you pull out the massive questionnaire, ask yourself - is this enhancing our ability to manage risk, or getting in the way of what matters? The business case for better vendor relationships and risk management speaks for itself.