How often does procurement include cyber risk assessment requirements in their engagement requests?

Security Strategy & Roadmap Third Party Risk Management (TPRM)

Always25%

Often36%

Sometimes24%

Rarely12%

Never1%

Not sure

426 PARTICIPANTS

3.1k views1 Comment

Sort by:

CTO2 years ago

It depends on the size of the business. In my experience, most of the publicly listed companies' procurement team will have this requirement as part of due diligence of vendor onboarding process.

For private companies, it depends on the size and agility of the business that matters the most.

Another driver for this requirement comes from regulatory compliance side and that too depends on which sector the company is operating.

Content you might like

Do you allow access to workday/HR application outside of InTune or another MDM tool?

What is your policy for hourly employees accessing Workday ‘off hours’? How is this policy managed?

What requirements have you used to evaluate and select a SAAS SPM tool?

Do you use ServiceNow to manage access and support Identity and access management within your organization?

Yes78%

No22%

A common challenge in our risk-tiering framework for suppliers is that even the lowest risk tier still requires processing.
Has anyone implemented a "not relevant" risk tier in their model?
This tier would apply to vendors posing genuinely negligible security risk.

What percentage of your organization's AI usage do you estimate happens outside of IT governance?

Less than 10%16%

10-25%64%

25-50%12%

More than 50%8%

I don't know

View Results

How often does procurement include cyber risk assessment requirements in their engagement requests?

Sort by:

Content you might like

Do you allow access to workday/HR application outside of InTune or another MDM tool?

What is your policy for hourly employees accessing Workday ‘off hours’? How is this policy managed?

What requirements have you used to evaluate and select a SAAS SPM tool?

Do you use ServiceNow to manage access and support Identity and access management within your organization?

A common challenge in our risk-tiering framework for suppliers is that even the lowest risk tier still requires processing.
Has anyone implemented a "not relevant" risk tier in their model?
This tier would apply to vendors posing genuinely negligible security risk.

What percentage of your organization's AI usage do you estimate happens outside of IT governance?

What sets us apart?

Take Your Insights On-the-Go

How often does procurement include cyber risk assessment requirements in their engagement requests?

Sort by:

Content you might like

Do you allow access to workday/HR application outside of InTune or another MDM tool?What is your policy for hourly employees accessing Workday ‘off hours’? How is this policy managed?

What requirements have you used to evaluate and select a SAAS SPM tool?

Do you use ServiceNow to manage access and support Identity and access management within your organization?

A common challenge in our risk-tiering framework for suppliers is that even the lowest risk tier still requires processing.Has anyone implemented a "not relevant" risk tier in their model?This tier would apply to vendors posing genuinely negligible security risk.

What percentage of your organization's AI usage do you estimate happens outside of IT governance?

What sets us apart?

Take Your Insights On-the-Go

Do you allow access to workday/HR application outside of InTune or another MDM tool?

What is your policy for hourly employees accessing Workday ‘off hours’? How is this policy managed?

A common challenge in our risk-tiering framework for suppliers is that even the lowest risk tier still requires processing.
Has anyone implemented a "not relevant" risk tier in their model?
This tier would apply to vendors posing genuinely negligible security risk.