May 30, 2019

The Ominous Vendor Security Questionnaire

Has your organization implemented a process to evaluate the cybersecurity posture of vendors and suppliers?  Or perhaps your customers require you to complete their questionnaires?  Most would agree that the process is painful.  The goal of this evaluation is to ensure that vendors/partners are practicing sound cybersecurity.  Data flowing through the supply chain is only as secure as its weakest link.

Those that are involved with either of these processes know that a significant amount of time is consumed creating, answering and evaluating.  With a lack of standard questions or alignment to business services, the first challenge is to determine if the correct questions are being asked.  I have seen questionnaires which range from 10 questions to over 200 questions.  Having to answer a 200-question evaluation may get frustrating, especially if done annually.  Next, you are faced with evaluating the accuracy and validity of answers (without any true evidence to support the answer) to define a cyber security maturity score.

I am not suggesting that questionnaires are not valuable; but maybe there is a better way.  Most companies will exchange Excel or Word documents and then manually evaluate and score the vendor based on responses.  This is a manual and time-consuming process.  Solutions are available which break the process into two effective components:

  1. Automate an online questionnaire evaluation process
  • Customized questionnaires can be created and posted, securely, online.
  • The system tracks vendor activity to ensure that questionnaires are completed.
  • Risk, priority and severity can be pre-defined so that scoring is automated and simple.
  • Use pre-canned questions to save time or self-generated questions for industry/service focus
  1. Perform an independent evaluation (like a vulnerability assessment) and generate a cyber security maturity score
  • Scores are generated based on what attackers see from the Internet. The evaluation can be used to validate questionnaire answers
  • This evaluation can be performed on an on-going basis for your organization and anyone in the supply chain to ensure that you and your vendors are also practicing sound cybersecurity
  • Many of the solutions will provide recommendations on how to improve scores and tighten security practices

The two components can help you understand the posture of your company and its partners, to ensure that data is secure.  The independent evaluation and score provide real-world validity and a KPI which tracks improvements.  Whether your organization is considering or has already implemented a questionnaire process…there is a more effective approach.

listmenu-circlecross-circle
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram