Security analysts responsible for vendor management have a unique combination of challenges, both human and technical. Questionnaires are a standard tool, but are also wrought with human error, both intentional and accidental. On the technical side, risk managers are unlikely to have access to a third party’s network. Furthermore, “on-network” investigations intended to provide appropriate cyber due diligence for third-parties, such as a penetration test or compromise assessment, are rarely completed within an actionable time period aligned with the risk manager’s work flow. Finally, while risk management tools aggregate useful insights in real time, they are unlikely to be tuned perfectly to an individual risk manager’s needs with a specific third party.
