Let’s talk about vendor security reviews. If you felt some form of unpleasant emotion just reading the phrase “vendor security review,” I understand. You and I are not so different. You have likely participated in completing at least one vendor security review in your career. During the process you may have questioned humanity, your career choice or at least whether or not your company should be doing business with the procuring organization.
It seems there are very few organizations approaching security reviews in the same fashion leaving us customer-facing Information Security Professionals wandering a dystopian wilderness of hodge-podge approaches. Why are we so stuck on methods that only frustrate and annoy us? We need to do better.
Recently, my colleague Meghan wrote about how software buyers should move from Vendor Risk Management (VRM) to Third Party Risk Management (TPRM) highlighting the increasing obsolescence of security questionnaires and providing guidance on reducing the complexity of the process. In this article, I will focus on what the software sellers can do on their end to bring some sanity to the chaos and make completing these reviews more efficient and effective.
Fair warning: since vendor security reviews involve so many functions across the business, I’ll be using organized team sports analogies throughout. But before we jump too far in, let’s align on some terminology. Vendor security reviews can vary greatly from one organization to the next so for the sake of this blog we will define them as any number of activities a buying organization may carry out in evaluating a seller’s goods or services. This process is generally a requirement before a purchase can be made or a contract signed.
Meet the Vendor Security Team
I always think of complex business processes (that involve lots of teams) as a team sport of sorts. No one group or even a highly skilled “superstar” can achieve the desired outcome in these processes. Rather, they tend to require close cooperation, trust and communication among team members. Vendor security reviews and related processes (contract negotiation especially) embody this parable. A good team, and a good vendor security review process, take three key factors:
- Shared fundamental knowledge
- A strong leader
- A detailed playbook
Shared Fundamental Knowledge
Athletes engaging in team sports require some shared fundamental knowledge of the sport they are playing and the rules involved. This is actually easier done in team sports than in vendor security reviews, mostly because rules, norms and other important frameworks are locked in through sports federations or leagues.
There is currently no clear “true north” or “industry standard” for vendor security reviews. This results in too many approaches to solving a common problem. That’s why the first step towards process improvement is ensuring that our team and our organization has a baseline level of fundamental knowledge related to security reviews, their purpose and the best ways of completing them for your buyers. We can then go a step further and begin promoting the transparency of this fundamental knowledge across our industry. More on this later.
For a team to succeed it’s vital that each player understand several things:
- What is the desired outcome?
- What role do they and others play in that outcome?
- How do the various teams/functions need to work together?
- Who is calling the “plays” and in what circumstances?
A team needs to be able to count on one another to perform. But a well trained team with no clear leadership can be left frustrated and getting lucky wins at best. For sellers, it’s important to have a clear vision for your team that is regularly communicated and updated as business challenges and needs evolve. Leadership simply can not oversell the vision and plan to their players.
That’s why installing a strong leader and clearly outlining the mission, vision and roles is the most effective step to exponential growth in the efficiency and effectiveness of your vendor security review process.
Your Team’s Playbook
No high performing team operates consistently well without a gameplan or playbook. Be it informal or mature, smart teams have a well designed and well communicated playbook. Even greater teams assimilate and own their playbooks, and each member feels pride in that ownership.
The importance of a playbook or multiple playbooks can not be overstated, especially for complicated business processes. Sure playbooks may take a decent investment in terms of time and energy, but be assured these investments will pay dividends.
Pro-Tip – Any good playbook will include clear instructions about handling exceptions. When a business decision needs to be made for an exception, be sure to document who makes the call and how the team should react.
Organizations who implement a playbook will significantly increase their productivity, reduce risk and notice more predictable and consistent wins while driving increased customer satisfaction. Playbooks are interesting because they get more valuable as organizations grow and accelerate. As your company gains new customers the number of vendor security reviews will also increase. Establishing playbooks today that you can iterate on into the future is the way to go. However, I will leave you with some key points to keep in mind while building your playbooks.
It’s About Your Buyer
Meet Your Buyers Where They Are
Now that you have your team established, instilled a strong leader and created your playbooks, it’s time to focus on the buyer. It’s crucial to understand your buyer and what is driving their requests for vendor security review. In general, the goal of a vendor security review is to help a buyer determine, how much, if any risk they assume by procuring the service or goods and using them as intended. Aligning on these needs to ensure both sides understand what is truly in play can make a huge difference.
As an over simplified example, let’s compare two potential vendors:
- Vendor 1 will receive files and use them to print approved marketing material for mass distribution at an upcoming conference.
- Vendor 2 is a digital media agency that will produce mock-ups for a prototype (undeveloped) mobile application that our company is considering developing.
Looking at the examples above, it’s clear to see the type of data involved as well as the potential risk posed by each are astronomically different. Most reasonable individuals would say that applying the same requirements to both vendors is unnecessary and tedious. Nobody likes this kind of “red tape” and it’s the worst example of “checkbox compliance”.
We must understand and align on the scope and purpose of the relationship between seller and buyer. It helps to ask, what regulatory, compliance and vendor “flow-down” requirements is your buyer trying to meet? What risks and scenarios are they really seeking to investigate? Anticipating your buyers’ needs will help you go from reactive responding to hundreds of questionnaires to a proactive and efficient process of sharing compliance information.
Build Compliance Package(s)
As a seller, we want to reduce the complexity and friction a buyer experiences in obtaining our goods. This includes the level of effort they have to exert in conducting due diligence on our product or service. Borrowing a quote from one of my favorite thought leaders in this space, “snowflakes don’t scale.” This plainly means expending effort in customization or creating individualized artifacts does not serve our organizations or the customer well. Our time is much better spent making more data available and broadly digestible for as many potential customers as possible.
A great starting point in empowering the buyer is to build a compliance package. This is simply a grouping of artifacts that can easily be provided to a buyer. A well built compliance package will destroy funnels in the procurement process by removing specialized teams (Information Security, Legal, etc…) from the role of gatekeeper while empowering frontline teams (Sales, Support, etc…) to confidently provide and position these frequently requested materials.
Great examples of things to include in a compliance package include:
- Independent auditor reports (i.e. SOC2 Report, PCI Attestation of Compliance, etc.)
- Bridge letter(s) (if applicable)
- Key organizational policies (redacted ok)
- Informational documents (White papers, FAQs, etc.)
- Completed industry standard questionnaires (CSA CAIQ, SIG or SIG Lite, etc.)
If we reviewed a sample of completed vendor security reviews, common trends will begin to emerge. Once identified, these common themes are great candidates for inclusion into a compliance package.
Empower and Train Your Frontline
Building a compliance package on its own is great. But, where the true power of a compliance package really shines is when it’s deployed as a tool for frontline teams with plenty of enablement. Remember, a key piece to a great team is shared knowledge! You must ensure the applicable players are equipped with the right documentation and the confidence to support the process.
As such, be sure your compliance packages are easy to find and their existence and purpose are communicated. Frontline teams should be trained on:
- How to retrieve, position and distribute the package to customers
- How to request updates, changes and refreshes of the package
- What is included in the package, why each is important and how to best position it to customers
It’s also key that your players understand how to probe the buyer on their vendor risk review needs, why the newly built compliance packages are being offered and how they are meant to make the procurement process easier and more transparent.
Tying Everything Together
As you go out and build (or rebuild) your internal vendor security review process, remember there are two key elements: Your team and your compliance package(s).
You must first ensure you have the best players, strong leadership and clear playbooks. Then you must create a compliance package and enable your frontline teammates to be proactive and transparent in providing this information. With this in place, you will be able to quickly reduce the number of customized requests from your buyers, increase efficiency in the procurement process and ensure the most accurate information is being provided to your buyers.
The last piece is to communicate and evangelize your progress. At a minimum you want to do this internally, but preferably to buyers and prospective buyers, and even better if it’s to the community at large. This will demonstrate your maturity, your commitment to providing true assurance as opposed to meeting “compliance checkboxes” and will help buyers and prospective buyers to better understand your business processes.
The ZenGRC can help automate the manual process of responding to vendor security reviews. By creating a program specific to customer assurance, you’re able to assess your controls, publish results and provide artifacts to support it to your buyers.