Why is vendor onboarding so hard?
You are looking to make a business relationship with a larger company that can provide you with some kind of access to data, customers, or that can leverage the services you’re selling.
You get the business side excited about your products and services. They buy into what you’re pitching, and they are ready to move. Congratulations on making it this far, a lot of hard work is now done!
However, now you get handed to the sourcing team for the official vendor onboarding process. You get met with a lot of questions and formality. You get the 3rd degree from sourcing specialists, corporate attorneys, and IT/cybersecurity professionals. Now you have to answer a 300 question spreadsheet, and you have 48 hours to do it.
It doesn’t matter that half of the questionnaire does not apply to your business model. It also doesn’t matter that the other half is the same set of the questions that repeat themselves in slightly different ways or using terms you’ve never seen before.
It shouldn’t be so hard to get your company through vendor onboarding, right?
So, how do you get your startup through the vendor onboarding process? It’s all about:
- Understanding 3rd party risk management
- Learning what really matters to the 3rd party risk & security teams
- Making a plan to close gaps
Understanding 3rd Party Risk Management
Big companies use big systems to operate and govern themselves. The result to the outsider looking in can seem like too much complexity and formality.
Without big systems, however, it’s hard to coordinate so many different teams and groups to get anything done.
Here’s what that big vendor onboarding program cares about as it:
- Limiting Risk
- Process efficiency
Companies want to limit the amount of legal, regulatory, operational, reputational, and security risks from 3rd parties. The company’s brand is at stake when they bring on 3rd party companies, so this process is a means to limit exposure in all possible ways.
Additionally, the more important or “critical” your business or services to the larger company, the more risk you have for them, and the more they want to reduce that risk. Here are some items that go into determining your company’s risk level to the larger company:
- Classifications, types, and volume of data they’ll be sharing with you
- Any geography-specific laws or regulations
- Whether or not you’re a customer-facing service for them
- Whether or not you are cloud-hosted (yes this still matters)
All of this comes down to how “important” or critical your business will be to the larger company’s operations. The more critical you are, the more risk they have to mitigate.
The bigger the company, the more 3rd party vendors they have. Sourcing is a whole business itself at most large companies, and they have to field 100’s or 1,000’s of new 3rd party vendor relationships every year (not to mention the ones they have to maintain).
As a result, vendor sourcing teams need standardized intakes, standardized questionnaires regardless of the type of business relationship or type of company, and standardized workflows with SLAs (Service Level Agreements). Not to mention standardized governance routines to oversee and monitor all of the above.
I think we can all agree you’d standardize this too if you had to do the same thing that many times. This efficiency also helps with fair and consistent practices from an ethical and legal standpoint.
Learning What Really Matters to the 3rd Party Risk & Security Teams
Remember that 300 question spreadsheet?
Yes, you really have to fill that out to move forward.
Your company may not have anyone “doing security” at this point, let alone someone who is in charge of security overall.
You might have a hard time taking that big spreadsheet and figuring out what your company does in relation. You may have a hard time understanding how you even achieve some of these things. You might have a hard time committing to closing any identified gaps based on where you are at as a company. The good news, however, is your company doesn’t have to be compliant with every single item or do all of those functions today.
Here’s the thing - larger companies have dedicated security and risk management teams. They evaluate their 3rd party vendors based on their own level of security and compliance. They want to see equal or better controls to have certain assurances on how their data will be treated (remember the Limiting Risk part?).
Once you realize this, you can have a conversation to determine what really matters to the company. This will vary some, but most concerns fall into these categories:
- Server/Cloud services controls
- Encryption of data-in-motion and at-rest
- Vulnerability patching
- Threat monitoring
- Physical security controls (less relevant for cloud-based companies)
Business Continuity & Disaster Recovery
- Your ability to recover and continue services in case of an event or outage
- Your ability to comply with laws based on the data you have and process as a part of your business (PCI, AML, KYC, OFAC, etc.)
- Human resource items like training, security awareness, background checks, etc.
Sometimes all the larger company needs are the understanding that you hear their concerns and the assurance that you will address what they care about most.
Making a Plan to Close Gaps
Building off the above, to close on the vendor onboarding process to a point where you can do the business function you were brought in to do, you need to make a plan to close out those gaps. The larger company understands you do not have the same resources that they do, but they will need dates and milestones to make them comfortable.
Don’t ask the larger company how long you can have to close a specific set of gaps.
You need to be transparent and realistic about what you can commit to over the next 3 to 12 months on a remediation plan and tell them what you can do. Help the larger company understand that you will address risks as you grow, and some risks are not possible to closeout until you get to certain financial milestones or bring in more people. Let the larger company come back to you on what they want to see done faster or in what order.
Here’s another piece that is almost always overlooked when it comes to this process:
Keep your “business contacts” engaged through the whole exercise.
This is the team or group you originally made traction with. This is the group that liked your offerings enough to get you started on the vendor onboarding process. This group needs to understand and weigh in on the risks from their business point of view.
These business relationships often are accelerators at getting new products to market or being competitive. The risk of not being able to use your business or services also has risks associated with it. Your business contacts are the best to articulate what is at stake and what levels of risk are acceptable.
If everything goes well for your company, you will be in this position many times! Each company may have a slightly different set of concerns and a somewhat different spreadsheet or online form (though it will still be massive!), but how you approach and negotiate success can be the same.
Get the free weekly newsletter recapping funding news in the cybersecurity space.