vendicts_admin, Author at Vendict

New Feature – How To Automatically Respond To Web Security Questionnaires

07.06.2022

Getting more and more web security questionnaires?

You asked—we listened!

Hi,

Udi here.

Web-based questionnaires are becoming more common. But the problem is that they usually take much longer to complete.

Now, you can have them answered completely within seconds with Vendict’s new Google Chrome extension:

Vendict users now have the ability to streamline the submission of security questionnaires straight from the browser.

No more copy-and-paste needed.

The application smoothly integrates with the TPRM platform that is used to send off your compliance documents, cutting down the submission process by an average of 85%.

Here’s how it works:

After generating the answers to your questionnaires with its AI engine, the Vendict extension then auto-fills the answers to the TPRM. It’s that simple.

What’s even better?

All your historical compliance question data is stored in one single location. No need to worry about exporting it to excel sheets or other programs manually.

Vendict is currently the only solution on the market with these capabilities. Let us show you how to transform your compliance process from a resource-sapping struggle to one of seamless efficiency.

Best,

Udi

Co-Founder & CEO @Vendict

Chief Vendor Officer (CVO) - A Practical Playbook Part 2

25.03.2020

The CVO playbook for a successful vendor adventure — Part 2 / 2

In the first part, we have seen how the CVO must focus first on the defensive line. Now let’s see how the CVO can create value, be accountable by metrics, and whom the CVO should report to.

The Offensive line

Focus on specific projects to bring quick vendor value:

On-boarding. Evaluate how to accelerate and standardize the vendor on-boarding. It includes IT collaboration and scheduling, security authorizations, employee training on the product, and providing vendors with information and focal points.
Performance tracking. The contract commitments must be tracked. They vary between product performance, customer support, product upgrades and roadmap, compliance and security fix commitments. Tracking these will give you an edge during contract renewal.
Cost vs. usage. Track the number of licenses acquired and their actual usage. The procurement team will be happy to receive them.
Find alternatives. A hard one. For critical vendors, managing the vendor risk and negotiating prices with the vendor can help when you know about a realistic alternative.
This alternative is realistic if it provides the same kind of service/product at the same level. Besides, the switch cost (in money and time) should be manageable and the vendor should have a high chance of being declared valid by the defensive line in a timely manner.

Promoting a Vendor culture

Nurturing a Vendor culture is a long-term task. It convinces stakeholders to see an agile environment with fast vendor on-boarding and off-boarding.

This Vendor culture can be implemented gradually:

Promote vendor requests. Discuss difficulties with co-workers and think about whether a vendor may exist. Bring success stories to executives. Simplify the vendor request process.
Highlight your work. When a stakeholder requests a new Vendor, he or she is expecting regular updates. These updates should humanize the vendor integration process by reflecting current roadblocks and how the vendor responds (at a high level).
Bring the Voice of the Vendor. Critical vendors are also important stakeholders in the project. Sometimes, strong collaborations between vendors and your company may result in a strong product/service differentiation. Attention to the vendor (e.g., by providing feedback and requests) may be prioritized too. In product development, Product Managers may take this role.

The Metrics

What are the metrics to evaluate CVOs?

Cost and risk reduction. Track the cost and risk reduction in each defensive field (compliance, security, privacy).
Integration quality. Measure the time between the business unit requiring a solution and its implementation. This overall time is a good indicator of the vendor selection and the on-boarding process.
Decompose the vendor path similarly to a customer path. A vendor funnel can be set up with the different steps: request, selection, validation, negotiation, on-boarding, actual usage.
Business outcome. Guesstimate the impact of vendor insertions/replacements on the business.

Who does the CVO report to?

As seen, the CVO role is versatile, operational, and has many interactions. The CVO should therefore report to the CIO or to the COO. Reporting to an agile position will allow the CVO to quickly implement changes that highlight the collaboration between the teams.

The CVO is a complex role. It involves an oversight of vendor selection, validation, on-boarding, renewal, and off-boarding. Many internal actors are involved. And for the company, the potential is huge in value creation and cost & risk reduction.

Somehow, I have a feeling that some CDOs will consider this role as their next move.

The Surprising Customer Truths Applied to Vendors

Or how fundamental Customer concepts can change our worldview about Vendors

“The limits of my language means the limits of my world” — Wittgenstein

I am fascinated by bilingualism. Sure, by learning two languages simultaneously, on average, a child starts speaking later. But he or she gets so much in return. Not only the ability to speak two languages fluently. The child understands both cultures, the arbitrary of language, and practices brain plasticity to learn new languages (i.e., new worldviews).

It is interesting to think about what corporate bilingualism could mean. Each corporate field has its own professional terms. Professionals that know the professional jargon can integrate, communicate, and play with concepts more easily. Bilingual professionals master multiple fields fluently and learn quickly about new fields.

Consequently, applying fundamental concepts from one world to another enlarges our limits. Here, I analyze the Vendor world while considering Customer concepts. I discuss the Chief Vendor Officer (CVO) role, the vendor relationship, and the vendor culture. In this matter, I use relevant standard customer concepts (e.g., “Customer Success”) and replace the word “Customer” with “Vendor.” This exercise brings us an immediate vocabulary for the vendor world.

The role of the Chief Vendor Officer (CVO)

The CVO department is not limited to today’s Vendor Management Office (VMO), although the VMO is central. It is equivalent to a Vendor Success or Vendor Support office.

The CVO handles the whole Vendor Experience. The CVO must prepare the Vendor Journey from the beginning (vendor discovery) up to the termination (vendor off-boarding). The Vendor Journey is composed of different steps compared to the Customer Journey. The Customer Journey is sometimes simplified to 5 steps: Acquisition, Activation, Retention, Referral, and Revenue (AARRR metrics). The Vendor Journey is different since the company is the customer. It is composed of Selection, Validation, Negotiation, On-Boarding, and Renewal.

The CVO must analyze in a funnel plot how long each step takes to know where to enhance first. As a result, the CVO should talk to internal and vendor stakeholders for Vendor insights. A Vendor Management platform may complete the picture and provide other companies’ feedback on the quality of their relationship with a vendor.

Besides, the CVO can look back on sudden “vendor churn,” when the replacement of vendors was unexpected (either by the vendor or the company “firing” the other one). Some Vendor insights may reside here also, especially if the vendor is vocal.

The Vendor Relationship

How does the CVO manage the Vendor relationship? He or she is not the single vendor-facing position. Many teams will often interact with a Vendor. It includes: The Business Unit requiring the service, Procurement, Legal, IT, Security, Risk & Compliance, Privacy (if personal data is shared).

So many companies’ stakeholders can lead a coherent action only if they are aligned. To help them, a common platform displaying a Single Vendor View (or a Vendor-360) must be in place. This Vendor Relationship Management platform displays all the information relative to the Vendor.

For complex operations (e.g., performance tracking over time), a Vendor Data Platform may be needed to have a unified vendor profile from various data sources (Data flows, Support, Networking).

A Vendor-centric culture

Why is it important to have a Vendor-centric culture? On one hand, customers are bringing revenue to the company, not the vendors. On the other hand, vendors can bring a lot of value when they innovate and integrate well on how to solve the company’s needs. Being vendor-focused and having a close vendor relationship may reveal new untapped value, mainly for critical vendors. This requires both company and vendor engagement.

How to measure this value? A complex exercise for the CVO is to compute the Vendor Lifetime Value. How much value does this Vendor bring to the Company overall? Should I look for other vendors? Where can I increase this value? For example, good on-boarding and training on vendor products gives extra value from existing products to the company.

Vendors will never replace Customers as a first-position focus. Each one has its own role in the value chain. However, fundamental concepts about Customers should be used with Vendors. Suddenly, the vendor is not a simple, interchangeable service provider. The vendor looks more like a partner with common interests that we can measure.

The company is still focused only on the company’s success. Synergies, fruitful collaborations, or any win-win relationships with the vendor should be actively sought. It is somehow harder to execute.

A Complete Toolkit for a 360-Degree Vendor Management

16.03.2020

A reference guide to the Chief Vendor Officer on existing software tools

Vendor Management’s objective is to provide more value to the company via the integration of Vendor products.

It happens at different phases:

Discovery. Finding the relevant vendors that respond to the company’s needs.
Vendor evaluation and selection. Look at the response to the need, price, integration with other solutions, customer support level, compliance, security, etc.
Implementation. Optimize vendor on-boarding and track vendor performance.
Vendor culture. Fostering the culture of requesting and using outside solutions.

This process is generally triggered by the leading company department when the need occurs. However, the Chief Vendor Officer (CVO) may want to propose solutions if relevant. It is a serious advantage for the CVO to have a large culture of existing domains and tools that are already present. It accelerates both the Vendor culture and the Discovery phases by providing rapid answers.

This guide informs vendor-facing departments about the various tool families available for Vendor Management. It does not include the names of specific vendors. Online vendor comparison reports allow an in-depth analysis of specific products. This guide details the solution fields with a brief description of the vendor relevancy.

Risk Management

Risk Assessments. Selecting a Vendor requires ensuring this Vendor is compliant and secure. Risk assessments are questionnaires submitted to Vendors at this end. These platforms are collaborative and should include many standard questionnaires.
Third-Party / Vendor Risk Management (TPRM / VRM). IT Vendors have an intrinsic risk that must be managed (think about data breaches, business disruption and privacy compliance). These platforms use the assessments to evaluate the risk zones and to apply measures to mitigate them.
The VRM solutions can be often found in Governance, Risk management and Compliance (GRC) or Integrated Risk Management (IRM) platforms.
Vendor News Monitoring. This service gets the latest news about vendors on various subjects (financial, data breach, lawsuits, changes in legal and executive structure) to reassess vendors’ risks.

Legal

Contract Lifecycle Management (CLM). Access to the contract content is critical to tracking signed vendor performance. The contract clauses give elements to evaluate the vendor’s value, e.g., upon contract renewal period. The CLM platforms reference all the contracts and their clauses.

Compliance & Privacy

Consent and Data Subject Request Management. When submitting a request, the data subject expects to receive all the personal data information, including from the third-party vendors.
Website scanning. The website scanning allows users to automatically find all the Third-party and Fourth-party vendors present on the company’s website pages. They also look for vulnerabilities and privacy compliance (e.g., privacy and cookie policies referencing third-party vendors).
Vendor sanctions. Before receiving any service from a vendor, a company must ensure there are no sanctions preventing any collaboration, possibly automatically.

Security

The main security risks are about data breaches and the vendor’s additional attack surfaces.

Vulnerability Management. Adding products and libraries increases the attack surface. These tools allow us to scan for existing known vulnerabilities.
Cybersecurity Risk Rating. As part of the Digital Risk Protection domain, the security risk ratings give a complement to the assessments to evaluate the vendor risk. These ratings do not come from customer declarations but from external evaluation.
Cybersecurity Incident Response Services. Most data breaches come from third-party vendors. Getting prepared for a possible data breach must include a response when its source is a vendor.

Shared Data Management

As seen with data breaches, the shared data with vendors requires special handling. Many data management tools are relevant here for the data shared with vendors:

Data mapping. The data flows must be mapped and recorded as mandatory by regulatory compliance (e.g., GDPR). In the financial sector, the data transformations must also be documented in a data lineage document.
This data mapping details which data (e.g., personal data) is shared with vendors. Data catalogs and API catalogs, for example, may be useful for the documentation.
iPaaS (Integration Platform as a Service). These platforms allow users to interface with many APIs without developing complex software.
De-identification/pseudonymity. These solutions allow users to ensure the privacy of the data subject while still sharing the data (with vendors) for insights.

Information Technology

The IT department plays a large role in vendor on-boarding and performance tracking. They provide information about the effective usage and value provided by the vendor to the company.

Software Asset Management. These platforms track for installed & cloud-based software solutions the number of paid licenses and the effective usage for potential cost reduction. They also track the deadlines for end of support and patch availability.
Application Performance Management. These tools provide the effective performance of the applications and their user experience.

Some fields involving vendors are not mentioned. For example, Procurement Systems are a good source of information during the Vendor discovery phase. Or, Knowledge Management solutions can record processes and how to on-board vendors.

The mapping of all the useful tools highlights another dimension in the Vendor economy: the importance of the ecosystem. Solutions interfacing with one another allow integrated processes and provide more value to the company.

The complete Vendor Management solution is required to be technological and integrative. It provides a single vendor view with all the elements to optimize the vendor’s ROI.

17 Disturbing Statistics Justifying the Vendor Management Imperative

A bleak picture emerges when looking at the numbers. It is time for a change.

The following 17 statistics show us a bleak picture. The presence of third parties and vendors has increased drastically, including the vendor risk. The vendor risk can be either privacy non-compliance, performance disruption, or a data breach risk. These risks are quantitatively present.

To reduce these risks, vendor management is critical when managing these numerous vendors. Vendors are evaluated, e.g., with risk assessments. This Vendor Management has a measurable cost.

Of course, the following statistics do not reveal the full picture. Besides, proactive decisions can change the course of action.

Vendor Management Importance

Large companies have many third-party vendors, some with direct access to the company’s network.

An average of 89 vendors access a company’s network every week — link

18 percent of respondents indicated their companies work with more than 1,000 third parties, and another 16 percent said they work with more than 10,000— link

Vendor Risk

However, most companies cannot guarantee good personal data protection.

60 percent of companies admit they lack the resources to monitor the security and privacy practices of vendors with whom they share sensitive or confidential information — link

74 percent of businesses are unaware of all the third parties who handle their data and personally identifiable information (PII) — link

The data breach risk is also very present.

66 percent of security professionals think that it’s possible or definite that they suffered a breach through third-party access — link

And there are certainly other risks too.

87 percent of organizations have experienced a disruptive incident with a third-party vendor within the last three years — link

82 percent were not confident or unsure if they have identified all the third party risks their organization is exposed to — link

Cost Evaluations

Managing the vendors has a real cost, but the cost of not managing them is even higher.

Third-party breaches are more expensive than in-house breaches, costing $13 more per compromised record — link

The average cost of managing 100 third-parties is slightly more than $26,000 — link. 23 percent of organizations do not evaluate third parties at all — link

The average cost of addressing a Data Subject Access Request (DSAR) is $1,400 per request — link

For example, managing assessments has a high cost due to a lack of automation:

A single FTE (Full-Time Employee) can manage approximately 350 third-party information security risk assessments and decisions annually — link

71 percent of companies are still using a custom questionnaire — link

Prioritized Vendor Management

Given these numbers, it is not a surprise why Vendor Management is a priority today.

Ensuring third parties have appropriate security practices to protect sensitive and confidential data was the first governance priority for 2019 — link

40 percent of organizations have a fully mature vendor risk management process in place — link

The Vendor Risk Management Market is expected to exceed US$ 7 billion by 2024, with a CAGR (compound annual growth rate) of 13 percent — link

In our Vendor economy, we don’t always realize the value and the risk that vendors bring to the company. Companies have many vendors, some with privileged access.

Both the vendor value and the risk are real, with a measurable cost. Due to the cost, it is tempting to avoid managing the vendors. However, it only increases the risk and the cost, while missing opportunities.

Planning the Vendor Management while adopting a vendor culture is the key to gaining from vendors deeply and responsibly.

The Inevitable Rise of the Vendor Economy

21.11.2018

An example of a startup landscape infographic.

Vendors are the new oil, so be ready to manage them. Increasing landscape infographics of startup vendors is only the first signal.

How do you choose your doctor? I know only two types of people. The ones like me, trusting the system blindly. No research. I just choose according to the availability and closeness. And the ones like my partner, who always seek recommendations from trusted people. In general, such people work or have a close relative in the healthcare system. And they always know where to go.

Then I thought I had the same issue at work. I cannot see people in 2020 still performing impossible operations on Excel, while so many specialized tools exist online. Here, I was looking to find the best software, but there was no one to ask. How to start the search?

I always look first at the technology landscape. You know, these infographics showing the list of startups per domain (see image above). They can sometimes get crazy (the MarTech 5000 landscape references 7K vendors in one picture!). But the technological landscapes of IT companies reflect our Vendor economy.

Human barriers against vendors

It is against our nature to work with vendors. Here are the psychological barriers:

Trust. How do you know you can trust this company? The fact that they appear in a landscape is already a sign of recognition. And most of them have testimonials from trusted customers on their websites. Early adopters will jump quicker than others.
Classification. As humans, we tend to reduce and catalog quickly. Any company is simplified to a 3-word catchphrase. We may misunderstand the real opportunity they bring. Sometimes, new brands are even created only to enlarge fields of activities.
Locked in. Once we have invested in the collaboration (integration in the process, learning), there is a higher cost to switch. We feel this risk upfront, and it is always easier in the short-term to not switch. Therefore, we keep using Excel for everything until the pain is sufficiently high.

Vendors are always worth it

Let’s face it. Most of our company’s processes are relatively standard. It is quicker that way to recruit and on-board efficient employees with experience. So, it makes sense to have dedicated tools for each process. And these tools should be developed by external Vendors that can sell them to this market.

And it is the case already. According to Blissfully, the number of SaaS apps used steadily increases by ~30% year over year for all company sizes. A huge number. Companies are using best-of-breed apps. These apps excel in one specialization, managing or solving a specific pain point with high standards.

And it won’t stop. Artificial Intelligence technology gives vendors an edge, since it possesses large and varied data sets. And the open-source movement has simplified the integration of a huge number of software libraries during product development.

Vendor Management vs Vendor Risk Management

This new economy creates a complex ecosystem. A company can thrive only if it has the culture and processes in place to quickly find, select, and integrate the best vendors. These vendors can have off-the-shelf products in simple cases. Or they may require close collaboration for customized product development (think about a start-up in its early stages). The company must adapt to its needs and to the reality of the landscape.

Besides, a lot of vendor risks are created by this dependency. They can be business risks (service disruption, quality of service or product), regulatory risks (compliance, privacy, security), or financial risks (contractual, price, vendor stability). The recent remarkable privacy regulations (GDPR, CCPA) have also highlighted how the company is responsible for the personal data managed by the vendor. Setting programs to handle Vendor/Third-party Risk Management is now mandatory in financial institutions.

Companies want to be able to work with the best vendors at business speed and with responsibility. Also, innovative and specialized IT vendors are critical to simplifying this very critical pain point.

So, what is our doctor selection process now with my partner? She looks for the recommended doctors as long as they have reasonable availability. I used to look at vendors as interchangeable, similar to doctors. But I was wrong.

Vendors enable us to speed up processes and to create value. For each pain point, the best-of-breed vendors solve it with high standards. It requires our efforts to find them and work with them. We must set a clear vendor management process, overcome our psychological barriers, and manage all the vendors’ risks. It sounds like a lot, but this is where our economy is heading to, and well, it is exciting that collaboration wins.

Welcome the new C-level role: Chief Vendor Officer (CVO)

Vendors are the new oil. And the recent rise of Chief Data Officers (CDOs) could show us the path to how to gain faster from vendors: with a Chief Vendor Officer.

Do you remember how we were handling our passwords? We all had our own strategy. Some were using the same password everywhere. Maybe twisting a bit according to the password requirements, such as adding a special character or the website name. Others were writing them down in an unlocked document. Others were forgetting them with each new account access.

Since switching to password managers (thank you, Keepass), I’ve felt lighter and more secure, free of the mental burden of creating and remembering passwords. The transition was interesting. I had to retrieve all my accounts. I suddenly understood that my accounts were all over the Internet, and there was no automatic way to find them (a trick is revealed later). Try to recall; you, too, might have a lot of accounts out there.

That’s the point. As individuals and companies, we steadily increase our use of SaaS vendors. These vendors excel in providing specialized products and services that resolve our needs and pain points. For companies, they are the source of a tremendous potential for efficiency. Such a critical resource must be managed at the top level. Welcome to the Chief Vendor Officer.

The evolution of CxO roles

I know what you are thinking. “What?! Another Chief-something-Officer role?” Indeed, many CxO roles have been created over the years (Wikipedia references almost 50). Even the ‘V’ of the CVO is already used by the Chief Visionary Officer.

Traditionally, CxOs were focused on their discipline (Marketing, Sales, Technology, or Finance). Then, in the past decades, new CxOs were handling a major resource or risk that was present all throughout the company (IT, Security, Knowledge, or Data).

For example, recently, the presence of a Chief Data Officer (CDO) in Fortune 1000 companies has jumped from 12% in 2012 to more than 60% in 2018. This high adoption rate reflects the necessity to manage data in times of Big Data, AI, and privacy regulations.

The exemplary CDO path

Early on, after 2008’s financial crisis, most CDOs were present mainly in the financial sector. Since then, they have been in all sectors. In only a few years, the CDO role has evolved a lot. Data was seen as the new oil, with a lot of potential to provide valuable insights. But first, the data had to be managed.

Thus, the CDO’s concerns were first defensive: security, privacy, regulatory compliance, and quality of the data. After that, the CDO became more offensive, i.e., creating value from data. For example, via data collaboration and fostering data science projects (somehow starting with anti-fraud and customer churn projects).

A lot of skepticism was present when the CDO arrived, since this function was planned to change corporate culture and processes. The need for a Chief Vendor Officer is similar today.

How did I find all my Vendors? Today, users have easier access to their data than to their vendors. My Vendor discovery process was simply to retrieve all the confirmation emails in my mailbox sent after an account creation. Finding account creation via a search bar in my data is easy. Knowing which product or service is available out there and is relevant to me is a more difficult problem.

The call for Vendors

We are in a Vendor economy. A lot has been said about Big Data and AI. It is less common that vendors have an edge. While specializing and providing a generic solution, they collect a rich and diverse dataset to better solve the problem they are focused on. For each issue we have, we must first think if this issue is somehow generic and then look for a potential vendor.

A suggested roadmap to the CVO

So, what should be the role of the CVO? The CDO shows us the path. The CVO should make some orders first and then bring value to the company.

Be defensive first. The CVO must have the big picture of the vendors and ensure they are responsible for working with them. Not a simple task. As seen, discovering all the vendors is already complex for an individual. Processes need to change to track vendor on-boarding and off-boarding.
Besides, the CVO must ensure compliance with the regulatory, privacy, and security requirements (shared personal data, vendor data breach, GDPR).
Then be offensive. Vendors can provide a lot of value. Their selection and on-boarding should be accelerated, with a defensive line at business speed. The vendor’s performance should be tracked against the signed contract. And alternative best-fit vendor searches should be standardized where needed.
Above all, a vendor culture must be fostered to prefer by default Vendor solutions over internal solutions for non-core expertise subjects.

I never click on the “Forgot password?” link anymore. I know my accounts and who to update upon major changes (new address, new credit card number, or even new email address). I am on top of it.

In our companies, we need roles to account for valuable people or resources. The CDO is the voice of data with untapped potential, and the Chief Product Officer or Chief Customer Officer is the voice of the customers. Who is the voice of the Vendor today?