Far too many vendor onboarding processes — especially those that don’t leave room for compensating controls — feel like they are destined to be combative from the start. In the typical storyline, a tiny company is working feverishly to sell its products or services to an enterprise, and after gaining support of the “sponsor” (business decision maker), the vendor onboarding process kicks into action. The only problem? It often involves dozens-to-hundreds of nuanced cybersecurity questions that the tiny company is ill equipped to answer. And that puts in jeopardy all of the good work that the small business and the enterprise can do together — because the path to collaboration starts by running the gauntlet through the vendor onboarding process. And that process is far from guaranteed to lead to approval.
Blog Posts by Phil Leslie
Is this link safe? Given the volume of email that most of us receive every day, it’s a question that seems to come up on a pretty frequent basis. Some people even think that they have “pattern detection” capabilities that preclude the need for any technological filtering/scanning.
Here we’ll explore what parts of the “is this link safe?” question can be scrutinized by a savvy visual inspection, versus what parts of the inspection are better done by a machine (well, an algorithm).
Ever hear the famous saying about vendor risk management? “Nobody ever gets fired for hiring IBM.”
We don’t hear this saying as much as we used to a few years ago, but the concept is still a thought provoking one — especially for those of us that spend time in the vendor risk management arena. And it applies far beyond the specific company cited in the saying. Here’s why it’s worth reflecting on this saying today.
Is the password manager you’ve been using for your personal accounts, good enough to be your password management solution for business? That’s the topic before us today. This topic is courtesy of the past dozen-or-so small business owners who have asked us this question recently.
It’s a fair question. Let’s explore.
When a new vendor (maybe a small business) begins working with an enterprise, you can bet that there will be a vendor risk assessment of some form. Format-wise, it might be an Excel-based security questionnaire, a web portal, or a repurposed survey tool with customized questions. It will almost certainly involve a few clarifying conversations, revisions, evaluations, and (here’s hoping) approval.
Let’s zoom out one level above the nitty gritty of the questions that are deep in the assessment. What are the key vendor risk assessment topics that both sides should expect to discuss at some point in the process?
Normally we put all of our focus on helping small businesses with cybersecurity, but today we’re here to talk with enterprise compliance teams about their enterprise security questions. Bad news: almost all of the questions we’ve seen are broken. Good news: they are fixable. Let’s explore.
When a small business is on the cusp of closing out an enterprise sale, that is a big deal to the whole small business. It’s high stakes for them. They’d be willing to hop over just about any hurdle you ask them to. But what if there are 200 different hurdles, some of which matter a ton, others don’t matter much at all, and all of the hurdle heights are obscured. Sound hard? It is. Here’s what’s broken about enterprise security questions.
If you have a Business Continuity Plan, do you also need a Disaster Recovery Plan? If you have a Disaster Recovery Plan, do you also need a Business Continuity Plan? The distinction between these two types of plans is amongst the least understood topics that small businesses must navigate as they think about creating an environment of stability in the face of a cybersecurity incident. These plans extend beyond just cybersecurity matters, but here we’ll focus on what’s in our wheelhouse at Havoc Shield: cybersecurity.
Part of our normal new-client onboarding conversation includes the prompt “tell me about your infosec policies” — which is usually followed by either a long pause or a sigh. Why? Clients joining the Havoc Shield family are often ones that have experienced recent growth causing them to have the realization that they can no longer “get away with” do-it-yourself cybersecurity. Some have drafted rudimentary infosec policies on their own in their do-it-yourself era, some haven’t, but almost none of them are confident that they’ve got the right infosec policies in place. And that’s a source of anxiety (one that we can help with).
This blog is usually written with the small business audience in mind. We usually post about cybersecurity topics that we believe will be useful to small business owners, small business CTOs, small business IT directors, etc. Today is different. Today, we’d like to speak to the Enterprise Compliance Director audience — about their relationship with small businesses.
Many Havoc Shield clients work with a Managed Service Provider (MSP) for their broader IT needs — things like provisioning laptops, configuring telecom closet equipment, setting up VoIP phones, helping employees set up their bluetooth headset, etc. We love it when a client works with an MSP for those types of needs — it accelerates our ability to help on the cybersecurity front, with penetration tests, security awareness training, endpoint security, dark web scans, etc. The collaboration between Havoc Shield and MSPs has been great, enabling each of us to focus on what we do best.