Cybersecurity In-Depth: Getting answers to questions about IT security threats and best practices from trusted cybersecurity professionals and industry experts.

What Are Some Red Flags in a Vendor Security Assessment?

The last thing you want is a vendor that lies to you about its security practices.

John Bambenek, Principal Threat Hunter, Netenrich

October 7, 2021

1 Min Read
Pink highlighter checking off items on a checklist.

Question: What are some red flags to look for in a vendor security assessment?

John Bambenek, principal threat hunter at Netenrich: The problem with security assessments given to vendors is there is often no good way to verify the information. Third-party risk firms may tell you and give you insight into the general security posture of an organization, and we have far too often see compliance regimes are insufficient to ensure any reasonable level of security. There is also an inherent conflict when relying on third parties to certify compliance … they are being paid by the person they need to certify.

I like including security “requirements” that a vendor would either not be able to do or would not be cost-effective to implement. I use this as a check for honesty. Sales teams will, by default, tell a customer they do everything and anything even when they don’t to ensure a sale. Absent doing third-party verification or sending in an audit team, there is no way to evaluate every vendor in a cost-effective manner.

This is why I try to include a “validity check” question in the requirements where an honest vendor would tell you, no, they don’t do “X” and give you a good reason why they don’t (not cost-effective, outside a reasonable risk model, etc.). It shows you the vendor is at least reading the requirements instead of button-mashing until they get a PO. It also shows me that I can have a conversation with that vendor peer-to-peer about reasonable ways we can protect our respective organizations.

In the end, if a vendor lies to you during the sale, they’ll lie to you after the sale.

About the Author(s)

John Bambenek

Principal Threat Hunter, Netenrich

John Bambenek is the Principal Threat Hunter at Netenrich. He is an internationally known cybersecurity expert, and Lecturer in the Department of Computer Science at the University of Illinois at Urbana-Champaign and a handler with the SANS Internet Storm Center. Bambenek has more than 20 years experience in information security and leads several international investigative efforts tracking cybercriminals, some of which have led to high profile arrests and legal action. He specializes in disruptive activities designed to greatly diminish the effectiveness of online criminal operations. He produces some of the largest bodies of open-source intelligence used by thousands of entities across the world. 

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights