Vendor Security Questionnaires: The Buyer’s Perspective
This post is a follow up to a previous article on the subject, How to Survive a Vendor Security Questionnaire. In that article, I interviewed 3 security experts who are the go-to people at each of their SaaS companies for completing these questionnaires and getting past the critical security review stage of procurement to close important deals with enterprise clients.
From a vendor perspective it might seem as though it’s “easier” to be on the buyer side, but managing vendor security risk (especially at scale) has its own unique challenges:
- Security and the business may have different priorities and timelines.Often security is not included in a vendor evaluation and procurement process until a final decision has already been made. It takes a lot of organizational maturity to get to the point where questions about appropriate data handling make it to the beginning of the purchasing funnel.
- Time and budgets are limited. Every buyer organization is going to have a limited number of people dedicated to working on vendor security risk (whether that’s 25% of one person’s time or a team of 4 full time staff). If a single purchasing decision involves 6 different vendor options, the number of vendors to review at an enterprise organization can be large and at times seem overwhelming.
- Failing to appropriately manage vendor security risk has consequences. GDPR is coming in 2018 and the financial consequences for an organization that has not done their due diligence are significant. Under GDPR when a security breach occurs, vendor security is one of the specific focus areas for investigation.
For today’s article, I interviewed 3 security practitioners who are the go-to people at each of their enterprise companies for managing vendor security risk.
Here’s what they had to say.
#1: It’s all about risk
GoDaddy is the world’s largest domain name registrar and web hosting company. As GoDaddy’s Chief Information Security Officer, Todd Redfoot leads his team of global security professionals devoted to keeping its 17 million customers and over 7,000 employees safe from data breaches, privacy concerns and more.
“It’s truly a risk conversation. We have to understand the risk to the business when introducing new partners. We leverage multiple tools for this due diligence — a questionnaire is one of these tools. Once we understand these risks, we can then manage it together is we may find that no one partner is perfect” — Todd, GoDaddy
#2. Consider many sources of truth
Teradata is the world’s leading provider of business analytics solutions, data and analytics solutions, and hybrid cloud products and services. As an Application Security Analyst for Teradata’s IntelliCloud Product Security Team, Michael Rodriguez applies his blue team mindset to supply chain security for cloud platforms.
“We don’t trust one report as a source of truth. Especially since compliance reports are written by third parties, it’s can be interesting to see how those differ from responses to a questionnaire. Third party pen test results can help to validate assumptions that are made in the questionnaire.” — Mike, Teradata
#3. Vendor security is cumbersome, yet crucial
Uber is a global transportation technology company that develops, markets, and operates the Uber car transportation and food delivery mobile apps. Recent Head of Compliance for Uber, Dr. Ken Baylor is also the President and Founder of the Vendor Security Alliance. He created the VSA to address one of the biggest problems in InfoSec, managing 3rd party vendors.
“I created the Vendor Security Alliance to address one of the biggest problems in InfoSec, managing 3rd party vendors. Ask any business in Silicon Valley and they’ll tell you measuring and mitigating vendor risk is as cumbersome as it is crucial. Everyone had an opinion, so we gathered the experts to create a baseline for all to use” — Ken, VSA
Frequently Asked Questions
I’ve compiled the advice I received from these three experts and put it into an FAQ. Check it out here and read their answers to the following questions:
Q: What’s the most important part of your vendor security questionnaire?
Q: What kinds of evidence do you ask for in a vendor security process?
Q: What criteria do you use to perform a risk assessment on a vendor?
Q: How often do you walk away from a vendor because of an issue with their security assessment?
Q: What’s the value of a third party pen test in a vendor security review?
Q: What’s the Vendor Security Alliance? (VSA)
What’s your perspective on vendor security questionnaires? Leave a comment below.
Excellent post Caroline Wong..!! I am in consent with you for below points: Every business will have a combination of different software environments and specific security needs. To determine which security testing methodology (or combination of methodologies) would be the best fit for a given scenario, the four categories described above can be evaluated using three key factors: 1. Scalability 2. Coverage 3. Ease of use Your specific testing goals should drive the prioritization of these factors. An organization that needs to pass PCI compliance or a vendor security assessment may prioritize these factors differently than an organization with an agile testing process or one that is focused on training developer teams in application security.
Caroline Wong thanks for the expanded information. I would like for a followup on "manual" vs. "Scanning" as companies like Veracode and Qualsys and SonarCube offer various scanning at dynamic and static code levels that reveal many issues that manual site testing cannot due to time constraints. Seems an all of the above is best but not sustainable.
Great job Caroline Wong, CISSP, in going onsite and doing actual security reviews/audits of suppliers for the last ~17 years, around the world for my small organization.....1. Questionnaires have value, but I have found they only are a small GLIMPSE into the maturity of the organization. I have learned that the answers are either what they want you to HEAR...and hope you won't challenge them or what they BELIEVE of they security capabilities. Both are scary and both have been 100% inaccurate in 100% of my onsite reviews. 2. I think a security department needs to invest in getting a Seat-At-The-Supply-Chain-Table. Many security organizations don't want to invest in supply chain experts and sitting on phone calls and at vendor locations 8 (ok 12) hours a day. 3. When I go onsite, I don't have the filled out questionnaire on the desk, and make it a point to never look at their binder of policies, drives the supplier's nuts. Final thought, invest in the seat at the table, invest in GREAT interviewing skills, go make a few supplier's life miserable, trust me they will thank you.....then you approve them as a authorized supplier.
Helpful, thank you Caroline Wong, CISSP
Great post Caroline Wong, CISSP . Infact, I would say to that companies are involving in gauging risk of vendor's in the market cohesively through initiation like VSA, is a way to say for spreading joint awareness. It would be interesting to know if this can be applied to Banking's Vendors too? Thanks!