Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

3/6/2019
02:30 PM
Kelly White
Kelly White
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

It's Time to Rethink Your Vendor Questionnaire

To get the most from a vendor management program you must trust, then verify. These six best practices are a good place to begin.

Questionnaires are a vital part of understanding how your vendors manage cybersecurity risk; they'll help you understand the investments your vendors have made for positive risk outcomes across people, processes, and technology. They're especially useful because, frankly, there are some questions you can't get answers to unless you ask.

Yet as valuable as questionnaires are for assessing third-party risk, they have shortcomings. Here are best practices that can enhance your third-party risk program and get the most value from your vendor questionnaire process.

Challenge #1: Longer questionnaires mean greater costs.
The length of a questionnaire has financial implications. For example, according to a study by RiskRecon, each additional security assessment question can cost anywhere from $11.62 to $34 — that's a huge range. (The range is due to economies of scale related to asking questions. The more questions you ask, the lower the cost to add an additional question to the questionnaire.) Add another $10,000 if you conduct an on-site visit. Long questionnaires can also take a long time for the vendor to answer, which can slow down your business.

Best Practices: 
Know the scope of what you're asking.

  • Only ask questions you need answered. Don't ask questions that are irrelevant to the relationship you have with your vendor.
  • Understand whether a standards-based questionnaire is right for your organization or whether you need to develop a custom one.

Challenge #2: Questionnaires don't always show you reality.
Your vendors don't know what they don't know, and neither do you! That's a problem because you trust your vendors to give accurate answers — not just best guesses. Questionnaires are inherently biased because they're answered by the enterprise being assessed, so you'll never receive fully objective answers.

Best Practices: 
Trust, but verify.

  • Require your vendors to provide objective evidence of information security performance. This can include reports of independent network and web application security assessments.
  • Leverage cybersecurity risk ratings data to gain objective verification of a large swath of the assessment criteria. In our experience, risk ratings data can objectively verify between 25% and 55% of assessment questions. For example, a common assessment question is "Do you encrypt email communications?" Cybersecurity risk rating providers can discover the vendor's email servers and check to see if it implements email encryption through STARTTLS.
  • Use open source intelligence — providers can describe the quality of your vendors' cybersecurity based on passive observation.

Challenge #3: Questionnaires are typically administered at a fixed frequency.
The classic approach to assessing third parties is to divide vendors into inherent risk tiers (high, medium, low, etc.) and then establish a fixed frequency administration schedule. The problem here is that you're allocating risk resources without regard to risk: Vendors managing risk well are allocated the same assessment resources as vendors that are managing poorly.

The frequency of questionnaires should instead be based on known vendor performance.

Best Practices:
Instead of assessing vendors at the same frequency (for example, all high-risk vendors annually), make the assessment frequency part of your assessment strategy.

  • Determine assessment frequency based on residual risk rather than inherent risk.
  • Continually monitor your vendors' ratings and adjust your assessment schedules accordingly.
  • Establish the best frequency for your objectives.

Challenge #4: Questionnaires are generic, but your vendors aren't.
If you want to get the most out of a questionnaire, make sure you ask the right questions based on your relationship with the vendor. The idea is to shape the questionnaire to the risk context that you're analyzing. Not every question will apply to every vendor; more importantly, you'll want to ask some vendors additional questions that won't apply to others.

Best Practices:
Know your vendor, then shape the questionnaire accordingly.

  • Use the questionnaire to target the data you're most interested in; don't waste time gathering information you already have.

Challenge #5: Questionnaire-based assessments are infrequent.
Because questionnaires have to be administered by a person in your company and responded to by a person in the other company, it takes time to complete the entire process. In the meantime, entire digital ecosystems can emerge and change. New vulnerabilities can arise.

Best Practices:
Use cyber-risk ratings — they'll tell you if vulnerability management performance is degrading, if your vendor has systems behaving maliciously on the Internet, and reveal a host of other issues.

  • Don't only rely on a vendor questionnaire; make a cybersecurity risk rating platform an integral part of your third-party vendor security investigation.

Challenge #6: Know which questions to ask.
Even if the vendor knows everything there is to know about its security (which never happens), the onus is on you to ask the correct questions. Let's say you want to know if your vendor is managing all of your assets. Consider two questions: Do you track systems in a configuration management database? How do you ensure that you have a complete inventory of all of your systems? The first question will tell you that it bought some software that's helpful for managing assets but says shows nothing about whether or not it's tracking all of their its assets. However, the second question forces the vendor to reveal its strategy.

Best Practices:
Craft the question after determining what you want to discover in the answer.

  • Never ask yes/no questions unless they're very specific. (For instance, "Do you have a CISO responsible for all security aspects of protecting my relationship with you as a critical vendor?")
  • Ask for details on processes, not just software purchases

Questionnaires are useful in finding out what vendors have invested in across people, processes, and technology. Still, using questionnaires effectively can be challenging. With some strategic thought and planning, you can get the data you need for good risk outcomes.

  • Know the scope of what you're asking.
  • Trust, but verify.
  • Instead of assessing vendors at the same frequency (such as all high-risk vendors assessed annually), make the assessment frequency part of your assessment strategy.
  • Know your vendor, then shape the questionnaire accordingly.
  • Craft the question after determining what you want to discover in the answer.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly White is the CEO and co-founder of RiskRecon where he is transforming third-party cyber risk management. Kelly has held various enterprise security roles, including CISO and Director of Information Security for financial services companies. Kelly was also a practice ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18980
PUBLISHED: 2019-11-14
On Signify Philips Taolight Smart Wi-Fi Wiz Connected LED Bulb 9290022656 devices, an unprotected API lets remote users control the bulb's operation. Anyone can turn the bulb on or off, or change its color or brightness remotely. There is no authentication or encryption to use the control API. The o...
CVE-2019-17391
PUBLISHED: 2019-11-14
An issue was discovered in the Espressif ESP32 mask ROM code 2016-06-08 0 through 2. Lack of anti-glitch mitigations in the first stage bootloader of the ESP32 chip allows an attacker (with physical access to the device) to read the contents of read-protected eFuses, such as flash encryption and sec...
CVE-2019-18651
PUBLISHED: 2019-11-14
A cross-site request forgery (CSRF) vulnerability in 3xLogic Infinias Access Control through 6.6.9586.0 allows remote attackers to execute malicious and unauthorized actions (e.g., delete application users) by sending a crafted HTML document to a user that the website trusts. The user needs to have ...
CVE-2019-18978
PUBLISHED: 2019-11-14
An issue was discovered in the rack-cors (aka Rack CORS Middleware) gem before 1.0.4 for Ruby. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.
CVE-2019-14678
PUBLISHED: 2019-11-14
SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that can be leveraged by malicious attackers in multiple ways. Examples are Local File Reading, Out Of Band File Exfiltration, Server Side Request Forgery, and/or Potential Denial of Service attacks. This vulnerability also affects t...