New to Vendor Security Assessments? 5 Common Missteps to Avoid
Formalize vendor security assessments and save time with standardized, appropriately targeted questionnaires.
March 30, 2023
By Corey Nachreiner
Corey Nachreiner
Trust is hard to earn and easy to lose. Software vendors have learned this lesson the hard way over the last few years, as their products have become the target of increasingly frequent and damaging digital supply chain attacks.
The SolarWinds breach is a fitting example. A network breach gave threat actors privileged access to SolarWinds’ source code repositories and build systems, allowing criminals to introduce a backdoor Trojan into the official installer package for Orion (a popular network monitoring product). SolarWinds’ problem then became a problem for thousands of its customers. The SolarWinds incident is just one of many, which is why third-party risk management (TPRM) and vendor validation have become important parts of most buyers’ purchasing decisions.
TPRM is the practice of assessing the risk of any external product, service or contractor to which you offer privileged access. A key aspect of this includes a vendor security validation, where you validate the security of both the product or service itself and the security practices of the vendor that provides it. Any product that touches the core of your network should pass a formal TPRM process before you buy it.
However, there are good and bad ways to run this process. For those new to it, it’s important to understand that it will take time and effort — from you and the outside vendor. Doing it inefficiently can waste money and, if you impose unnecessary burdens on them, negatively impact relationships with your business partners. So how can you do it right? Below, we’ll cover common missteps and ways to make the process more efficient for everyone involved.
Vendor Validation Missteps and Pitfalls
While it might include some research (yours and the third party’s), the core act of vendor validation is a survey or questionnaire that asks the vendor about its product or service and organizational security practices. While it sounds simple, there are several common pitfalls:
Reinventing the wheel — This is common for companies conducting a vendor validation process for the first time. The CISO thinks, “OK, I need to ask the vendor about their security practices and I’m a security professional, so I’ll write the questions myself.” The ambition is admirable, but don’t waste your time. Use a standard questionnaire. There are many standardized security-validation questionnaires available — including some I’ll share later — for many levels of assessment that are designed to save everyone’s time. You can even get TPRM products that track and document your vendor validation process, including automating aspects of both the security questionnaire submission and responses. If a standardized questionnaire doesn’t include specialized questions for your industry vertical, you can add these.
Asking too few questions — Don’t be afraid to learn what you need to know. Depending on the nature of the product or service you’re considering and how much of your sensitive data or privileged access it needs, be comfortable asking anything relevant to ensure the outside vendor will protect your organization’s interests. This may seem paradoxical with the next misstep, but it’s important to learn everything you need to understand about how this vendor protects your assets from risk.
Asking too many questions — However, don’t ask every single security question in every single domain just for the sake of it. Many of the standardized security-validation questionnaires have various levels of questions depending on the nature of the risk introduced with the partner. They can range from those with 100 questions to ones with over a thousand that ask about every aspect of a company’s infosec program and require responses from busy CISOs, IT departments and engineering. Remember, answering these questions requires your partners’ time and money. So, before you send that exhaustive questionnaire, ask yourself if the answers are really worth the burden you’re imposing.
Ignoring organizational security certifications — Many companies, especially security vendors, realize you’re concerned with security and that they need to earn your trust. That’s why they invest significantly into organizational security certifications such as ISO/IEC 27001 or SOC 1, 2, or 3. To keep these certifications every year, these organizations go through extensive third-party audits to ensure they follow the security practices required. Most of the basic security practice questions found in vendor-validation questionnaires are the practices required to earn ISO 27001 or SOC 2 certifications. It’s a waste of time to ask those questions of companies that have already earned those certs and do annual audits to prove they follow those practices. That’s not to say you don’t ask other questions of those vendors. Be sure to check the scope included in their certification to ensure it covers the products and services you intend to use. At the very least, these certifications should greatly reduce the number of survey questions you need to ask.
Lack of process and automation — Finally, when sending a standardized questionnaire to your prospective partners, standardization should help you automate the process. There are TPRM tools and products that will automate survey sending and make it a quick and easy online process for your respondents. Why send a big Excel spreadsheet when these services provide an easy online form? You can also automate some of the “grading” and reduce time spent reviewing the results. If you’re still sticking with a custom, 1,000-question Excel spreadsheet, going through the answers will be a big time sink for you, too.
TPRM and Vendor Validation Best Practices
Understanding the above TPRM missteps can help you build effective best practices.
For instance, rather than writing your own questions, try …
… standard questionnaires such as the Shared Assessment’s Standardized Information Gathering (SIG) questionnaire or CSA’s Consensus Assessments Initiative Questionnaire (CAIQ). There are also scaled-down versions of these standard surveys for smaller engagements with third parties.
Before determining the appropriate security questionnaire to send partners, conduct due diligence to assess the risk of the product or project you’re considering with them. How much of your data, if any, will the third party have access to? Does it include personally identifying information (PII) for your customer or employees, sensitive corporate data or public data? Will you have to install any part of the product or service into your own private infrastructure? If so, what level of privileged network and user access is required? Questions like these will help you understand the security risks that this third party’s products or services might pose to your organization. For more basic integrations, consider sending a shorter, more basic questionnaire.
Finally, invest in tools or services to help automate, track and audit your TPRM process. There are many that deliver these capabilities and help manage other aspects of trust, such as GDPR and CCPA compliance. Using these tools will help accelerate the vendor-validation process and offer a more sophisticated level of tracking and process auditing.
Verify Trust Efficiently
In this day of digital supply chain attacks, vendor security validation and third-party risk management is crucial, and all companies should consider it. But doing it poorly can waste time for you and your partner. By investing more effort into formalizing your process using the available standards, and considering TPRM tools to enhance your process, you can make this vital security process much quicker and easier for all involved.
Corey Nachreiner is the chief security officer of WatchGuard Technologies. Recognized as a thought leader in IT security, Nachreiner spearheads WatchGuard’s technology and security vision and direction. He is a speaker at forums such as Gartner, Infosec and RSA and is a regular contributor to publications including CNET, Dark Reading, Forbes, Help Net Security and more. Find him on www.secplicity.org. You may follow him on LinkedIn or @watchguard on Twitter.
You May Also Like