Ever hear the famous saying about vendor risk management?
"Nobody gets fired for hiring IBM."
We don't hear this saying as much as we used to a few years ago, but the concept is still a thought-provoking one -- especially for those of us that spend time in the vendor risk management arena. And it applies far beyond the specific company cited in the saying. Here's why it's worth reflecting on this saying today.
If you've been on either side of vendor onboarding -- as the buyer evaluating a vendor, or as the vendor selling to an enterprise -- you've almost certainly lived through a risk assessment process. Risk assessment comes in all shapes and sizes. Sometimes it's the laborious process of the buyer and seller iterating over drafts of responses to an enterprise security questionnaire. Often it's excel-based. Often it's relayed between the parties via email.
That type of risk assessment is born out of a desire to do an explicit risk assessment. Does the vendor have an intrusion detection system? Does the vendor use endpoint security? Does the vendor limit administrative access to only a trusted few? Does the vendor agree to have physical access control (keycards / keys) on their telecom closet? Etc.
Few would say it's fun to iterate through responding to that type of questionnaire, but at least it's purpose is clear: it's an attempt to ask specific questions that give rise to an evaluation of the vendor's risk profile.
If an explicit risk assessment appeals to you and sounds rational, you'll probably hate what's coming next in this post. Implicit risk assessment is the process of connecting the dots between what you conceptually know about the reputation of the vendor, to some (at least mental) evaluation of the vendor's risk profile.
But whatever it is, it involves jumping to some conclusions about the vendor, from a baseline of some pre-existing fact, perception, or reputation.
As a general pattern, at Havoc Shield we see most enterprises gravitating towards explicit risk assessment. That's what we'd describe as the norm. The story we hear time and time again, is one of a business executive identifying a vendor that they wish to work with, and then involving the compliance and procurement teams on the final leg of the journey, to run a highly structured evaluation of the vendor's risk profile. When we watch this story unfold for the millionth time, we're totally unsurprised.
However, a much smaller number of enterprises -- mostly ones that have experienced rapid growth -- find themselves still catching up to that type of relatively mature process. And in those cases, we do sometimes see vendor risk management that is more philosophical in nature -- for example, a one-person compliance team that personally (mentally) evaluates the risk associated with a particular vendor. And that evaluation process often has a lot to do with "Nobody ever gets fired for hiring IBM." When we talk with enterprises that have this philosophy, most have every intention of "graduating" to a more formal, structured vendor management strategy. If nothing else, for the fact that there is a business continuity risk when there are just one or two humans whose intuition is not formalized into something that is repeatable -- if they were to depart unexpectedly.
Generally speaking, we would urge enterprises using this more informal vendor risk management approach to move to something more structured, documented, and repeatable.
We're a small business ourselves (Havoc Shield), so we'll be blunt. If you are the subject of a vendor risk management process that involves a lengthy security questionnaire, make it easy on the compliance team.
Instead of disagreeing with the process or disagreeing with a substantial number of the questions, knock 90%+ of them out of the park, and then ask for some leniency on the ones that you really don't have a good way to fulfill. If you can. It builds goodwill to put the person on the other end in a good position of being able to say that you've met the vast majority of the requirements, and there are just a small number of unmet items. On the ones that you can satisfy, your goal is to answer the question, only the question, and nothing but the question. If you are asked "Do you have dataflow diagrams for your solution?", your answer (if you can say it honestly) should be "Yes". Your answer should not be, "Yes, we have the attached 17 diagrams for various aspects of our system, 5 of them were updated in the past year, and the other 12 were most recently updated in 2018." That is very unnecessary exposure that is beyond what the question asked, and opens the door wide open for clarifying questions.
On the remaining questions that you perhaps can't answer well (here's hoping that it's under 10% of the questions), let's talk strategy. Suppose that one of the questions asks about your SOC 2 Type II status and you are not yet finished with your audit. Gracefully respond with the list of compensating controls that you've implemented to ensure that your audit will (when it occurs) go smoothly. By taking this approach, you are giving the compliance person on the other side a fair path forward where they can advocate on your behalf even if you don't perfectly/exactly satisfy the question at hand. Compensating controls are the name of the game, in those situations.
Vendors, and the enterprises buying from them, need to be aware that vendor risk management comes in all kinds of shapes and sizes. A small amount of contextual awareness goes a long way in understanding how to navigate the process. After all, both sides will fundamentally be better off when they successfully conclude the process and are able to proceed with the underlying business dealing that led the two parties together in the first place.
Have a particular vendor risk management challenge that you need a hand thinking through? Get in touch with us here, we'll be glad to talk it over.