Question: What are some red flags to look for in a vendor security assessment?
John Bambenek, principal threat hunter at Netenrich: The problem with security assessments given to vendors is there is often no good way to verify the information. Third-party risk firms may tell you and give you insight into the general security posture of an organization, and we have far too often see compliance regimes are insufficient to ensure any reasonable level of security. There is also an inherent conflict when relying on third parties to certify compliance … they are being paid by the person they need to certify.
I like including security “requirements” that a vendor would either not be able to do or would not be cost-effective to implement. I use this as a check for honesty. Sales teams will, by default, tell a customer they do everything and anything even when they don’t to ensure a sale. Absent doing third-party verification or sending in an audit team, there is no way to evaluate every vendor in a cost-effective manner.
This is why I try to include a “validity check” question in the requirements where an honest vendor would tell you, no, they don’t do “X” and give you a good reason why they don’t (not cost-effective, outside a reasonable risk model, etc.). It shows you the vendor is at least reading the requirements instead of button-mashing until they get a PO. It also shows me that I can have a conversation with that vendor peer-to-peer about reasonable ways we can protect our respective organizations.
In the end, if a vendor lies to you during the sale, they’ll lie to you after the sale.