Most Vendor Assessments Miss Critical Security Risks, According to New Resource From Info-Tech Research Group

As vendor-related cybersecurity risks grow, outdated assessment methods are falling short. Info-Tech Research Group’s new blueprint introduces a risk-based framework to streamline evaluations, improve compliance, and strengthen security. The practical approach outlined in the resource supports continuous improvement, enabling security teams to manage evolving threats with greater efficiency.

TORONTO, July 9, 2025 /PRNewswire/ – Vendor partnerships are critical to business success, but they also introduce increasing security risks that organizations must manage carefully. With regulatory demands rising and third-party breaches becoming more frequent, traditional vendor security assessments are no longer effective. Broad, one-size-fits-all approaches often burden security teams, frustrate stakeholders, and stall business progress. According to Info-Tech Research Group, some assessments are so onerous that vendors refuse to bid, or business units find ways to bypass the process altogether, leaving organizations exposed to significant risk.

To help organizations address these challenges, Info-Tech has published its blueprint, Build a Vendor Security Assessment Service, outlining a practical, risk-based approach that enables IT leaders to focus on what matters most. By tailoring assessments to actual business risk, the data-backed research enables organizations to streamline processes, enhance compliance, safeguard sensitive data, and make more informed decisions throughout the enterprise.

“Taking a risk-based approach helps organizations focus their assessments on what matters most, aligning security efforts with the type of service being evaluated and their own tolerance for potential threats,” says Ahmad Jowhar, research analyst at Info-Tech Research Group. “Furthermore, a process that fosters continuous improvement in the vendor security risk management program will enable monitoring and improvement, which will help identify further enhancements to the assessment.”

In its newly published resource, Info-Tech emphasizes the importance of adopting a structured, end-to-end approach to managing vendor security risks. The firm suggests that rather than relying on one-off assessments, organizations should implement a continuous process that includes initial risk evaluations, treatment through well-defined contractual terms, ongoing monitoring, and regular reassessments. This method ensures that due diligence doesn’t stop once a vendor is selected.

Info-Tech’s risk-based strategy not only enhances vendor accountability but also enables internal teams to effectively manage evolving threats and maintain a robust security posture over time.

The firm’s resource outlines a clear three-phase approach to building a vendor security assessment service:

1. Define Governance and Process: Establish a solid foundation by identifying requirements, defining roles, developing policies, and establishing risk treatment strategies that align with the organization’s risk tolerance.
2. Develop Assessment Methodology: Design the tools to assess service and vendor risk. This includes building more effective, risk-based questionnaires, avoiding common pitfalls like overly broad, purely informational, or excessively long surveys.
3. Implement and Monitor Process: Execute and monitor the service with a continuous feedback loop. This includes tailoring security requirements in contracts and ensuring periodic reassessments.

To help organizations apply the three-phase methodology in practice, the Build a Vendor Security Assessment Service blueprint provides a detailed framework for assessing new vendors or services:

1. Service Risk: Determine the potential impact of a vendor-related security incident by evaluating the assets at risk and the associated recovery costs.
2. Vendor Risk: Assess the likelihood of an incident occurring, with the level of due diligence determined by the potential service impact.
3. Composite Risk: Multiply service and vendor risk to calculate a composite risk score, which is recorded in a risk register or vendor inventory.
4. Risk Treatment: Treat risks based on the organization’s risk tolerance using a matrix to accept, mitigate, or reject them.
5. Record Details: Document assessment outcomes in the vendor inventory, with reassessment frequency guided by the composite risk level.

By addressing both the impact and likelihood of vendor-related incidents, Info-Tech’s framework enables organizations to align their security efforts with actual risk, focusing resources where they’re needed most. Regular reassessments strengthen vendor accountability and support better decisions, all while reducing organizational risk exposure, improving compliance, and enhancing operational efficiency.

The firm’s approach also enables better visibility into vendor and service risks, helping transform vendor risk programs from operational bottlenecks into strategic enablers. Stakeholder alignment and continuous improvement are central to the framework’s success.

For exclusive and timely commentary from Ahmad Jowhar, an expert in security and privacy practice, and access to the complete Build a Vendor Security Assessment Service blueprint, please contact [email protected].

About Info-Tech Research Group
Info-Tech Research Group is one of the world’s leading research and advisory firms, serving over 30,000 IT and HR professionals. The company produces unbiased, highly relevant research and provides advisory services to help leaders make strategic, timely, and well-informed decisions. For nearly 30 years, Info-Tech has partnered closely with teams to provide them with everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

To learn more about Info-Tech’s divisions, visit McLean & Company for HR research and advisory services and SoftwareReviews for software buying insights.

Media professionals can register for unrestricted access to research across IT, HR, and software and hundreds of industry analysts through the firm’s Media Insiders program. To gain access, contact [email protected].

For information about Info-Tech Research Group or to access the latest research, visit infotech.com and connect via LinkedIn and X.

SOURCE Info-Tech Research Group