Vendor management

Caroline McCaffery
April 27, 2021

A Venus fly trap is a flower that catches insects as its prey using a terminal structure that is triggered when an insect touches the tiny hairs on the leaves a couple of times in a short period of time. Similar to the Venus fly trap, vendors who receive security questionnaires are now prey to a trap of its own “terminal structure” called network effects.

The following quote from a recent article about a company that provides third party risk services, aka vendor management, demonstrates my point: “XXXX’s customers can invite their vendors to participate [in a security questionnaire], at no cost to the vendor [deleted]. By completing an assessment, the vendor will become a part of the XXXX network. This lets them easily map their answers to assessments from other XXXX’s customers, without having to start from scratch for similar questions. The customers and vendors together create a network effect that improves transparency and efficiency for all participants.” [redacted to maintain anonymity]

Let’s break this quote down one by one. First, the vendor (V) receives a security questionnaire from a prospect. Prospective customer (PC) has a lot of vendors and so they found a company that helps them manage all those vendors. That is where XXXX comes in. XXXX sells vendor management services and (PC) is one of its customers. So, in this scenario, XXXX is letting (V) access the questionnaire for free on the XXXX platform so (V) can answer (PC) security questions. Not only can (V) access the questionnaire for free, (V) can enter all of its data straight into XXXX’s platform, again, for free! So simple and great, right?

Well, hold on a second. (V) did not sign up for XXXX. (PC) did. But (V) has to share all its confidential information about its privacy and security operations and practices with XXXX to win (PC)’s business? The next sentence literally says that by “completing an assessment, the vendor will become a part of the XXXX network.”

Should (V) trust XXXX? From XXXX perspective, this is great because (V) is now a customer without any sales or marketing effort. (V) signed up because they had to in order to get (PC)’s business!

But there are many problems here for (V) to consider. To win (PC)’s business, (V) is bypassing all of its own third party management processes to sign up to XXXX. One sneaky observation is that (PC) could be testing (V)’s vendor management process i.e. does (V) actually conduct its own due diligence on XXXX first? It is unlikely that (PC) is doing this, but there is nothing to stop them from weighing (V)’s response this way.

To keep (V), XXXX argues that there is a large benefit. The benefit is letting (V) map the answers they provided to (PC)’s questionnaire to any other customer questionnaire in the XXXX ecosystem. The argument is that this creates some sort of beneficial network effect, specifically transparency and efficiency for all.

But does it create a network effect that benefits (V)?

Who else is in XXXX’s ecosystem? How does (V) keep its answers up to date? Is XXXX giving (V) specific recommendations to make sure (V) wins business by participating in the network? Where is the transparency?

Even more concerning is the question of, is (V)’s data trapped in XXXX? Can (V) get the answers out?

And most importantly, what if (PC) sues (V) claiming that (V) lied? Who does XXXX’s loyalty belong to? (V) or (PC)? To take this a step further, if (PC) makes a discovery request to XXXX for (V)’s data in the network and (V) objects to the disclosure, who does XXXX choose? The answer is probably the paying customer, (PC).

Most vendor management tools are built for companies that need help managing their vendors, not for the vendors getting managed. There are a lot of potential downsides to vendors for products built this way because they were not built with the vendor’s interests in mind. It can be a trap and one that can actually cost the vendor a lot of money. Before you get stuck in this Venus fly trap, ask if you can download the questionnaire and keep it in your own systems, or better yet, choose ClearOPS, because our platform is built for vendors.