Minimizing the risk of third party vendorsLink to this section
Using third party vendors and SaaS services are an effective way to fill gaps and speed up your go-to-market strategy. There are a variety of services available, from calendar sync, GIF bots, and ticketing systems, to password managers and documentation platforms. The world is your oyster. But with these benefits in mind, you need to weigh the risk of storing your data with someone else and relying on their uptime for your own product’s availability. It’s a fun balancing act.
|Third party vendor management
|Build list of critical vendors
|Regular reviews and onboarding process
Third party vendor managementLink to this section
According to a Better Cloud report, organizations use an average of 130 SaaS applications. This means that there are many places where your company’s data is being synced and critical functionality is being hosted.
The main privacy and security risk of using SaaS vendors is that you are likely sharing a lot of data with them. The main operational risk is that their uptime could directly affect your uptime. The benefit is that you don’t have to reinvent the wheel to get something done.
It’s all about weighing the risks. Reduce the risk of storing sensitive information, such as credentials, by using a vendor who specializes in handling customer authentication. However, this also increases the risk of downtime because your product is now reliant on someone else to function.
You need to be aware of what you’re sharing and how important it is to your product in order to make an informed decision.
Basics to get started?
Identifying your vendors can be a challenging task for an established business. You can ask your team, search through integrations of your most frequently used tools, and look for vendor emails. However, I’ve found that the most reliable source is to check with whoever is paying your bills for vendor invoices. Follow the money!
Document all of your vendors and classify them based on a few data points, such as the sensitivity of the data you share with them (known as data classification) and their criticality to your uptime (also known as business impact analysis).
A simple way to do data classification is a 4 tier system, such as:
- Public information - everyone has access
- Internal - all employees have access
- Restricted - most employees have access
- Confidential - only senior management have access
A business impact analysis is a topic within the wider business continuity sphere. In a nutshell, we’re trying to categorize how important a vendor’s availability is to your product. To keep it simple, think about the longest amount of time that a vendor can be offline before you start looking for alternatives.
- Low - 2 weeks
- Medium - 48 hours
- High - 4 hours
- Critical - 1 hour
Other things to track against your vendors could include the team member who manages the vendor, whether the vendor is SaaS or a local install, whether they handle personal data at all, and a date stamp for the last time you looked at what you’re paying them for.
To keep things more streamlined, focus on the major vendors that you can’t live without, such as cloud hosting, ticket management, chat, email, and analytics. This will likely be a revealing exercise in identifying all the places where your company data has been shared.
Schedule regular reviews and build processes for handling vendors.
Review your critical vendors at least once a year, even if it’s just to negotiate pricing and check up on their latest compliance status. For stable vendors, this review will likely be quick and boring, but it will at least keep your team aware of where you’re spending the money.
Create processes and structure for onboarding new vendors that will be key to your product’s survival. Vendors that may handle your customers’ data should be peer-reviewed by other team members so no major changes are made in isolation. If the vendor is handling your sensitive information or could impact your product, ask them some questions to make sure you are comfortable with the risk of using them. Most information could probably be found on their website and it would certainly help if they have been through an external audit like ISO or SOC2. Please don’t send them a 50 page questionnaire. At the very least, the review will weed out some outliers and force a level of due diligence.
You can also use SaaS tools (oh the irony) to help manage and automate the work of managing the growing list.
What does Kinde do?
We have a huge database page where we track all our information assets and the main third-party vendors we’re using. Information is added to each vendor to help us classify things like the type of data we’re sharing with them, who the asset owner is, what team is using it on a daily basis, whether they’re a sub-processor, their security certifications, and a ton of other fields that we’ve found helpful. We review their security credentials during onboarding and perform annual re-reviews of vendors who handle sensitive data or could impact our production uptime.
Get started now
Boost security, drive conversion and save money — in just a few minutes.