Vendor Security Assessments are slooooow to change. If there is one part of a large enterprise that has a thankless job, it's the IT compliance team that is charged with creating, revising, and reviewing vendor security assessment processes and forms. Make it too difficult, and business sponsors (buyers) across the company get upset that it takes too long to onboard their favorite new vendor. Make it too easy, and the enterprise takes on headline-grabbing cybersecurity risk that has wide-reaching regulatory and reputational impact.
So, in the face of these opposing pressures, what happens to an enterprise's vendor security assessment forms / questionnaires over time? In our observation, almost nothing. You heard that correctly: the vendor security assessments that a particular enterprise had in place 12 months ago, are almost certainly what they have in place currently.
Is it bad, if an enterprise doesn't adapt it's vendor security assessments to emerging trends, asking tougher questions relating to new cybersecurity risks and easing off of questions that are no longer as relevant?
Yes, it's bad for "both sides":
So, we hate to see it when an enterprise keeps using the same vendor security assessment form that they've been using for many years.
Here are six of the worst mistakes we see enterprises make when they use a stale set of questions in these types of assessments:
We talk with small businesses (often founder-led teams) every day, and without fail, they run into security questions about their data center. Everything from fire safety, to access control, to power redundancy.
And yet, we haven't met any founder-led team that actually has a data center at all: they all use AWS, Google Cloud, or Azure. And that's a good thing. (do you really want small businesses operating their own data center?)
We think the smarter move by enterprises would be to ask if the vendor is using an "approved" professionally-managed hosting provider (with a list that includes AWS, Google Cloud, and Azure). If they are, you can bet that the SOC 2 reports on all of those entities are impressive.
If the vendor isn't using a professionally-managed hosting provider, the enterprise has much bigger problems than worrying about a power redundancy plan.
Want to totally detach from reality? We're still seeing vendor security assessments that (in their premise) imply that remote work is not acceptable or allowed. A paraphrased example: "How do you ensure that no company-owned devices are taken off-site from company-managed offices?"
Yes, this really gets asked. And it would be comical, if not for the fact that it puts the vendor in the very odd spot of having to first explain that they have a remote-first team, and second that company-owned devices are therefore offsite, and third that they've taken particular steps to make that safe.
We're seeing a pattern where legacy vendor security assessments include some presumptive questions about background checks. Anyone that has had even a brief conversation with a lawyer specializing in employment law, would know that there are a growing variety of state-specific nuances to what is (and isn't) allowed in terms of background check processes. We're absolutely fine with vendor security assessments that ask vendors to describe their background check policy, but we think it's foolish for enterprises to ask leading questions about particular (presumably desired?) characteristics of those background checks, given the variation in what vendors may or may not be legally allowed to do in their jurisdictions.
Do you think employees ever check their personal email on a work device? Or make a quick online purchase from the convenience of their work laptop? It's hard to imagine that they don't.
So, while we're delighted that more and more enterprises are asking for Acceptable Use Policies as part of their vendor security assessments, we loathe some of the more detailed questions that we sometimes see, that presume that there is never a situation where a work device is allowed to be used for even the most trivial + benign personal task. That's not reality, and it sends a signal to vendors that they are going to be asked questions that are out-of-touch with reality (putting vendors in a very awkward spot).
If a vendor has a physical office/presence, the enterprise absolutely should ask questions about physical security measures. But, much more often we see a one-size fits all approach that assumes that the vendor has a significant physical presence. We all-too-often see questions like this one: "Do your data security policies cover physical access controls (such as keycards) and monitoring (such as entry/exit logging and video monitoring)?"
More often than not, this type of question is followed by several other questions that are presumptive about the vendor having a bustling, central, physical headquarters.
What we'd rather see, is a preemptive question that determines whether the vendor does or doesn't have a physical headquarters; and if they don't, a way to readily skip that section (and preferably, to then ask them to fill out more detailed questions about remote work).
We've mostly covered questions that vendor security assessments are asking, that perhaps they shouldn't. We can't resist taking a bit of latitude with this final item, though. It's about a huge topic that enterprises should be raising, that they are neglecting to raise.
Specifically, only 5% of the vendor security assessments that we see, ask anything about the vendor's approach to staying safe from ransomware. You know, things like anti-malware protections, employee training, DNS filtering, etc. -- things that are readily available to Havoc Shield customers. We can't understand why a security threat as pervasive as ransomware is only showing up in a small fraction of vendor security assessments -- and we hope that changes soon.