To get the most from a vendor management program you must trust, then verify. These six best practices are a good place to begin.
Questionnaires are a vital part of understanding how your vendors manage cybersecurity risk; they'll help you understand the investments your vendors have made for positive risk outcomes across people, processes, and technology. They're especially useful because, frankly, there are some questions you can't get answers to unless you ask.Yet as valuable as questionnaires are for assessing third-party risk, they have shortcomings. Here are best practices that can enhance your third-party risk program and get the most value from your vendor questionnaire process.
Challenge #1: Longer questionnaires mean greater costs.
The length of a questionnaire has financial implications. For example, according to a study by RiskRecon, each additional security assessment question can cost anywhere from $11.62 to $34 — that's a huge range. (The range is due to economies of scale related to asking questions. The more questions you ask, the lower the cost to add an additional question to the questionnaire.) Add another $10,000 if you conduct an on-site visit. Long questionnaires can also take a long time for the vendor to answer, which can slow down your business.
Know the scope of what you're asking.
- Only ask questions you need answered. Don't ask questions that are irrelevant to the relationship you have with your vendor.
- Understand whether a standards-based questionnaire is right for your organization or whether you need to develop a custom one.
Challenge #2: Questionnaires don't always show you reality.
Your vendors don't know what they don't know, and neither do you! That's a problem because you trust your vendors to give accurate answers — not just best guesses. Questionnaires are inherently biased because they're answered by the enterprise being assessed, so you'll never receive fully objective answers.
Trust, but verify.
- Require your vendors to provide objective evidence of information security performance. This can include reports of independent network and web application security assessments.
- Leverage cybersecurity risk ratings data to gain objective verification of a large swath of the assessment criteria. In our experience, risk ratings data can objectively verify between 25% and 55% of assessment questions. For example, a common assessment question is "Do you encrypt email communications?" Cybersecurity risk rating providers can discover the vendor's email servers and check to see if it implements email encryption through STARTTLS.
- Use open source intelligence — providers can describe the quality of your vendors' cybersecurity based on passive observation.
Challenge #3: Questionnaires are typically administered at a fixed frequency.
The classic approach to assessing third parties is to divide vendors into inherent risk tiers (high, medium, low, etc.) and then establish a fixed frequency administration schedule. The problem here is that you're allocating risk resources without regard to risk: Vendors managing risk well are allocated the same assessment resources as vendors that are managing poorly.
The frequency of questionnaires should instead be based on known vendor performance.
Instead of assessing vendors at the same frequency (for example, all high-risk vendors annually), make the assessment frequency part of your assessment strategy.
- Determine assessment frequency based on residual risk rather than inherent risk.
- Continually monitor your vendors' ratings and adjust your assessment schedules accordingly.
- Establish the best frequency for your objectives.
Challenge #4: Questionnaires are generic, but your vendors aren't.
If you want to get the most out of a questionnaire, make sure you ask the right questions based on your relationship with the vendor. The idea is to shape the questionnaire to the risk context that you're analyzing. Not every question will apply to every vendor; more importantly, you'll want to ask some vendors additional questions that won't apply to others.
Know your vendor, then shape the questionnaire accordingly.
- Use the questionnaire to target the data you're most interested in; don't waste time gathering information you already have.
Challenge #5: Questionnaire-based assessments are infrequent.
Because questionnaires have to be administered by a person in your company and responded to by a person in the other company, it takes time to complete the entire process. In the meantime, entire digital ecosystems can emerge and change. New vulnerabilities can arise.
Use cyber-risk ratings — they'll tell you if vulnerability management performance is degrading, if your vendor has systems behaving maliciously on the Internet, and reveal a host of other issues.
- Don't only rely on a vendor questionnaire; make a cybersecurity risk rating platform an integral part of your third-party vendor security investigation.
Challenge #6: Know which questions to ask.
Even if the vendor knows everything there is to know about its security (which never happens), the onus is on you to ask the correct questions. Let's say you want to know if your vendor is managing all of your assets. Consider two questions: Do you track systems in a configuration management database? How do you ensure that you have a complete inventory of all of your systems? The first question will tell you that it bought some software that's helpful for managing assets but says shows nothing about whether or not it's tracking all of their its assets. However, the second question forces the vendor to reveal its strategy.
Craft the question after determining what you want to discover in the answer.
- Never ask yes/no questions unless they're very specific. (For instance, "Do you have a CISO responsible for all security aspects of protecting my relationship with you as a critical vendor?")
- Ask for details on processes, not just software purchases
Questionnaires are useful in finding out what vendors have invested in across people, processes, and technology. Still, using questionnaires effectively can be challenging. With some strategic thought and planning, you can get the data you need for good risk outcomes.
- Know the scope of what you're asking.
- Trust, but verify.
- Instead of assessing vendors at the same frequency (such as all high-risk vendors assessed annually), make the assessment frequency part of your assessment strategy.
- Know your vendor, then shape the questionnaire accordingly.
- Craft the question after determining what you want to discover in the answer.