Let’s cut to the chase: if you had but a fleeting opportunity to ask three pivotal questions prior to hiring a brand spanking new supplier that you plan to trust with your most sensitive details, they would be these:
- If they are as secure as they claim, do they have an independent audit report, provided by certified professionals that covers all the security and privacy aspects that matter?
- Who owns the company? Is it a private equity group or a highly regulated enterprise? Has it changed hands in the past few years? When a merger takes place, does your data go along with it?
- How much cyber insurance does the company carry? If your company’s operations and reputation can be impacted by a failure or breach of this vendor’s systems, then the coverage should reflect the amount of the potential loss.
Best practices, security policies and even the location of the data are of secondary importance. What matters, especially when it comes to cloud services, is accountability. And that is illustrated through transparency.
Does the vendor monitor its own systems and let you have visibility into their key detective controls? Do they only have a contractual clause that offers to let you know when something goes wrong, or do you have direct access to logs and notifications that offer adequate assurance of protection, compliance and … competence?
Hanlon’s Philosophical Razor: Never attribute to malice that which can be more easily explained by incompetence.
Even if you agree with this admittedly streamlined approach to vendor due diligence, hindsight is still 20/20, so let’s look at the warning signs that an organization might have looked for, prior to selecting a reputable purveyor of password management solutions:
- Is there more noise than signal? Does a name come up a lot in paid ads, sponsored videos and promotional articles without a commensurate amount of evidence to back up marketing claims? Just how independent are big name the studies that you are able to locate?
- Is there more than a hint of unauthorized or unethical data collection? Does this vendor force users to receive spam in order to use their service (opt-out)? Are there any detectable shenanigans in the unsubscribe process? Are there built-in trackers in their technology?
- Is the product independently audited, or does the assessment apply to a collection of brands, the company as a whole, or a particular subset of these? Pay particular attention to the scope and frequency of audits.
- Has it suffered from past data breaches? In some cases, cybersecurity incidents are opportunities for companies to learn from past mistakes. In others, they are signs that it should be retired altogether. In most cases, the way previous security issues were (mis)handled is simply an indication of things to come.
- Perhaps the most important thing I would want to look at is simply, who owns the company and how many times it has changed hands in the past few years. Is it controlled by private interests? Does it have a notorious reputation?
Every vendor, especially cloud service providers, represents a potentially enormous operational, financial and reputational risk to your organization. Never be quick to accept marketing rhetoric and superficial claims. Do your own research. Reach out to the company and challenge their stance.
The final question to ask yourself, after you have taken into consideration the vendor’s willingness to accept accountability and your organization’s own appetite for risk, is this:
is it worth it?
In the case of the beleaguered password manager, members of the media and industry professionals (at least those who understand the catastrophic severity of the problem) appear to finally be speaking with one voice: No.
For your next vendor risk assessment, remember to ask the 5 fundamental questions:
- how is data protected?
- who owns the company?
- what independent evidence exists?
- when did the company act on a previous incident?
- where, in the signed agreement, is accountability covered?
The importance of a secure vendor relationship is not limited to one service provider. It can affect an entire supply chain and victimize companies that may not have the means or the visibility to perform their own due dilicence.
Member discussion: