Tips on vendor assessments from experts in the industry
This post is a follow up to a previous article on the subject, How to Survive a Vendor Security Questionnaire. In that article, I interviewed 3 security experts who are the go-to people at each of their SaaS companies for completing these questionnaires and getting past the critical security review stage of procurement to close important deals with enterprise clients.
From a vendor perspective it might seem as though it’s “easier” to be on the buyer side, but managing vendor security risk (especially at scale) has its own unique challenges:
Security and the business may have different priorities and timelines. Often security is not included in a vendor evaluation and procurement process until a final decision has already been made. It takes a lot of organizational maturity to get to the point where questions about appropriate data handling make it to the beginning of the purchasing funnel.
Time and budgets are limited. Every buyer organization is going to have a limited number of people dedicated to working on vendor security risk (whether that’s 25% of one person’s time or a team of 4 full time staff). If a single purchasing decision involves 6 different vendor options, the number of vendors to review at an enterprise organization can be large and at times seem overwhelming.
Failing to appropriately manage vendor security risk has consequences. GDPR is coming in 2018 and the financial consequences for an organization that has not done their due diligence are significant. Under GDPR when a security breach occurs, vendor security is one of the specific focus areas for investigation.
For today’s article, I interviewed 3 security practitioners who are the go-to people at each of their enterprise companies for managing vendor security risk.
Here’s what they had to say.
#1: It’s all about risk
Todd Redfoot, Chief Information Security Officer for GoDaddy
GoDaddy is the world’s largest domain name registrar and web hosting company. As GoDaddy’s Chief Information Security Officer, Todd Redfoot leads his team of global security professionals devoted to keeping its 17 million customers and over 7,000 employees safe from data breaches, privacy concerns and more.
“It’s truly a risk conversation. We have to understand the risk to the business when introducing new partners. We leverage multiple tools for this due diligence — a questionnaire is one of these tools. Once we understand these risks, we can then manage it together is we may find that no one partner is perfect” — Todd, GoDaddy
#2. Consider many sources of truth
Michael Rodriguez, Application Security Analyst for Teradata’s IntelliCloud Product Security Team
Teradata is the world’s leading provider of business analytics solutions, data and analytics solutions, and hybrid cloud products and services. As an Application Security Analyst for Teradata’s IntelliCloud Product Security Team, Michael Rodriguez applies his blue team mindset to supply chain security for cloud platforms.
“We don’t trust one report as a source of truth. Especially since compliance reports are written by third parties, it’s can be interesting to see how those differ from responses to a questionnaire. Third party pen test results can help to validate assumptions that are made in the questionnaire.” — Mike, Teradata
#3. Vendor security is cumbersome, yet crucial
Dr. Ken Baylor, President and Founder of the Vendor Security Alliance
Uber is a global transportation technology company that develops, markets, and operates the Uber car transportation and food delivery mobile apps. Recent Head of Compliance for Uber, Dr. Ken Baylor is also the President and Founder of the Vendor Security Alliance. He created the VSA to address one of the biggest problems in InfoSec, managing 3rd party vendors.
“I created the Vendor Security Alliance to address one of the biggest problems in InfoSec, managing 3rd party vendors. Ask any business in Silicon Valley and they’ll tell you measuring and mitigating vendor risk is as cumbersome as it is crucial. Everyone had an opinion, so we gathered the experts to create a baseline for all to use” — Ken, VSA
I’ve compiled the advice I received from these three experts and put it into the FAQ style format below:
Q: How do you see the vendor security questionnaire in the context of an overall vendor security risk conversation?
A: It’s a starting point. Buyers will often go back to the vendor and ask additional questions based on the responses to the questionnaire. For example, if the vendor is a SaaS provider and skipped a question about security in the software development lifecycle, the buyer is likely to ask why and dig deeper.
“Filling out the questionnaire is the first step in the process that helps to get the conversation started. If some information is missing or insufficient, it’s not a deal breaker. We want to see how a vendor responds to the questions and compare that to compliance reports written by 3rd parties.” — Mike, Teradata
Q: What’s the most important part of your vendor security questionnaire?
A: Risk-based security controls. Enterprises want to know if you have classified the data you’re managing and if you’ve implemented security controls that are appropriately protecting the data.
“What data are you handling? How risky is it? Based on that, do you have proper security controls?” — Ken, VSA
What do you do when you see the response “N/A” to questions on your vendor security questionnaire?
A: Dig in deeper. Enterprises will often ask for an explanation when a vendor responds with “not applicable” to a question in a security review. They may ask to look at supporting documentation like policy and procedures to find the answer elsewhere.
“If a vendor has a formal certification, such as an ISO27001, then they can leverage a lot of information for the security questionnaire. The additional questions start the iterative process. It’s Just the start of a dialogue.” — Todd, GoDaddy
Q: What kinds of evidence do you ask for in a vendor security process?
A: Most enterprise organizations are interested in reviewing all of your security and compliance related documentation. This may include ISO2700X, SOC1, SOC2, SOC3, PCI compliance, pen test attestation letters, etc. Different frameworks may apply depending on geography, especially for acquisitions.
“We really want to make sure that our vendors have all their ducks in a row. We require that vendors fill out the CSA CAIQ and the additional information request is pretty broad. Give us all that you have. We don’t trust one report as a source of truth.” — Mike, Teradata
Q: What criteria do you use to perform a risk assessment on a vendor?
A: Most importantly, enterprises want to determine if there a program in place. Enterprises do get mixed responses from vendors during a security assessment, and it can be obvious which vendors have a clue and which ones don’t.
“We really want to get a feel for if the company cares about security and compliance. Is there a Security program? If there is, we’re likely to find better security controls. If they do not or are just beginning that journey, there’s probably some gaps we will want to understand.” — Todd, GoDaddy
Q: How often do you walk away from a vendor because of an issue with their security assessment?
A: It definitely happens. Each of the enterprises I spoke with has turned away business with a vendor or acquisition target that didn’t meet their security standards. This is most likely to happen when a vendor has blatant gaps in their security and is not willing to do anything about them.
“63% of all breaches are from vendors. What you don’t want is a vendor product that opens up massive backdoors and pulls everything out of your network or their network.” — Ken, VSA
Q: What’s the value of a third party pen test in a vendor security review?
A: The most useful pen test is a manual pen test. A scan alone is simply not good enough. The issue with most pen tests is that pen testers have a variety of different skill sets, but what you need is high quality and a methodology like PCI’s external pen testing requirements.
“We ask to see third party pen test results all the time. It validates the statements that are made in the questionnaire.” — Mike, Teradata
Q: What are your thoughts on the various technologies available to “help” distribute and manage questionnaires?
A: It’s still a lot of work for both sides. You can use technology to send out a questionnaire but that doesn’t change the fact that it’s still pretty long and may require a lot of effort on the vendor side to complete. A big reason that it takes so much time is that there isn’t usually a single individual on the vendor side who knows all the answers, so the questions have to be passed around within an organization in order to finish all the responses.
“Over time we’ve tried to leverage a few different types of technologies and received mixed results from vendors. It’s almost always a slow moving process because it’s hard to get the right people in the room to obtain all the necessary information.” — Todd, GoDaddy
Q: What’s the Vendor Security Alliance? (VSA)
A: The Vendor Security Alliance is a coalition of companies committed to improving internet security, specifically third party risk, supply chain risk, and vendor management risk. Members share information on common vendors, including questionnaire results, auditor interview data, and summary reports. The questionnaire is free for use by any company to vet their supplier’s security practices (third party risk) free of charge.
“It’s no longer enough to embrace sound cybersecurity practices at your business alone — ensuring the companies you work with as vendors also have the most secure Internet practices is just as important. The VSA started with a group of companies concerned about third party risk getting in a room and sharing best practices. We decided to join forces.” — Ken, VSA