Gainesville Regional Utilities (GRU) isn’t just a utilities provider—it’s the communications backbone for the community. In addition to delivering electricity and water, GRU operates fiber-optic networks and uses smart grid and metering technologies to keep homes, businesses, and public facilities in the northern Florida city connected and running.
Behind the scenes, these systems rely on a complex network of third-party vendors. From cloud service providers to equipment suppliers, these partners play a vital role in GRU’s operations.
But they also pose a potential cybersecurity risk.
To address that vendor risk, the utility’s IT security and compliance teams launched the Vendor Security Risk Assessment (VSRA) program in August 2023. The chief goal of the program is to make sure vendors with access to sensitive systems, data, or networks meet rigorous security standards as part of the vetting process.
“We designed VSRA to make sure vendor relationships do not introduce vulnerabilities into our environment,” says Walter Banks, CIO of GRU. “So the program kicks in early, before a vendor is onboarded, a contract is renewed, or the scope of a vendor’s services changes.”
What’s inside the VSRA program
VSRA includes the following steps:
Intake and triage: The requesting business unit submits an intake form detailing the vendor’s responsibilities, the IT service involved, the types of data needed, and any required system access. The IT security team then conducts an initial risk triage.
Detailed assessment: If the vendor poses a moderate or high risk, it must complete a security questionnaire and provide documentation such as SOC 2 reports, penetration test results, and security policies.
Technical review: The security team evaluates how the vendor’s service integrates with GRU’s systems, covering categories such as data transmission and storage, access methods, and security controls.
Vendor risk reporting: Following the review, the security team writes a report identifying risks and recommending mitigations. Any medium or high risks require formal acknowledgement by the requesting department’s leadership.
Centralized recordkeeping: All assessments and decisions are stored in a secure, centralized database for accountability and audits.
Initial resistance from vendors and internal leaders
The first hurdle in implementing the VSRA program was internal resistance from leadership, Banks says. Some GRU executives worried the program would add red tape to an already complex and lengthy procurement process.
To overcome skepticism, GRU’s IT team shared real examples with leadership of past vendor assessments, both successes and incidents where inadequate vetting led to security vulnerabilities. The IT team explained turnaround times and how risk-based recommendations would work in practice.
“We gradually gained leadership support and equipped them with the information they needed to communicate the program’s benefits to the rest of the org,” says Banks.
Vendor compliance was another challenge, particularly with long-time partners that had never been asked for extensive security documentation. GRU addressed this by reaching out directly to vendors to explain how to comply with GRU’s new standards. Additionally, GRU created a vendor scoring system that continuously monitors vendors’ security posture for potential risks.
“Once we addressed cultural resistance, vendor compliance, and documentation, all parties involved began to recognize the program’s value,” says Banks.
The impact: Decreasing vendor risk, increasing efficiency
Since launching VSRA, GRU has formally assessed 144 vendors, producing 32 risk exception reports. In two-thirds of those cases, GRU avoided the risk entirely by choosing alternative vendors.
The program has also uncovered more than 70 medium- to high-risk vulnerabilities that might have led to data breaches had they gone undetected.
Compliance has also improved. More vendors now provide SOC 2 reports, certifications, and documented security policies, helping GRU meet data protection requirements such as HIPAA and lowering the likelihood of non-compliance penalties.
Another win for GRU is that its vendor risk assessment process is simply more efficient now, says Banks.
“Automating parts of assessments and adding a vendor risk database has led to faster responses to threats and cut manual work by 50%, freeing up team members to focus on more critical tasks.”
For its vendor risk assessment project, Gainesville Regional Utilities earned a 2025 CSO Award. The award honors security projects that demonstrate outstanding thought leadership and business value.
Advice for security leaders: No shortcuts, no surprises
CIO Banks has learned a few lessons about managing third-party risk and offers advice for organizations considering a VSRA program.
Seek external guidance: Banks suggests CIOs and CISOs talk to peers and industry organizations about vendor risk management before designing a program. Insights from these groups can help avoid “easy fixes” that ignore the complexity of security threats.
Make security part of the business case and be transparent: Weigh the risks and rewards of security programs and make sure there is a clear business case for vendor risk assessments. Communicate the business benefits clearly and frequently to leadership and other departments.
Make assessments repeatable and non-negotiable: Apply the same risk assessment to every vendor. Repeatable processes ensure that vendors, equipment, and services are evaluated consistently. Making exceptions for certain vendors could introduce risk.
Watch for red flags: Vendors unwilling to participate in risk assessments could signal deeper issues. In the early days of VSRA, a vendor reached out directly to a GRU business unit requesting an exemption from the VSRA process. Weeks later, that vendor suffered a malicious data breach. While the VSRA process would not have prevented the breach, says Banks, it highlights the importance of assessing risk before making commitments.
Safer utilities and communities, no exceptions
By baking risk checks into vendor procurement and keeping a constant eye on security vulnerabilities, GRU has cut down its exposure, improved compliance, and built a culture where everyone takes security seriously.
As cyber threats evolve, GRU’s experience shows that protecting critical infrastructure starts with knowing, and trusting, your vendors.
For Banks, the message couldn’t be clearer: “Vendors that want to continue doing business with your organization must meet your standards. Make no exceptions and stick to your principles.”
See How Award-Winning Security Leaders Do It
Gainesville Regional Utilities earned a 2025 CSO Award for its innovative vendor risk program. At the CSO Conference & Awards, you’ll hear more real-world strategies like this—directly from the executives leading them. Register now to join the event.
No Responses