Sharing of Security Information: Changes and Challenges
— February 1st, 2022
If the increased volume of security assessment questionnaires arriving in our corporate queue is any indication, our customers have been paying more attention to vendor security assessment and due diligence.
Just five years ago, processing the security assessment questionnaires submitted by prospective new customers commanded roughly 25% of our team’s regular workload.
During the last two years, however, the volume of security assessment questionnaires we receive for processing has doubled and now accounts for approximately 50% of the regular team workload.
Having said all that, and in fairness to customer stakeholders, we can only assume it’s been no picnic of late on the vendor management side either. The hacking of Colonial Pipeline, SolarWinds, and MS Exchange has highlighted more than ever the need to assess vendor security controls. (For additional detail, see Wired Magazine, Worst Hacks 2021).
Security/risk assessment process?
For those readers unfamiliar with what this means, a security risk assessment is a process that identifies threats and vulnerabilities, assesses key assets, and implements important security controls in systems. This process also concentrates on preventing security defects and vulnerabilities within systems.
Benefits of carrying out a security/risk assessment
“Generally, the overall benefit of carrying out a risk assessment is that it helps an organization holistically review the security of systems and data. Being able to see security vulnerabilities from an attacker’s perspective allows organizations to make informed decisions in implementing security controls and allocating resources. Therefore, a security risk assessment is essential and should be a part of the risk management process of an organization.” (CyberDuo, 4 Step Guide for an Effective Security Assessment for 2022)
Lack of assessment format standard
Sheer volume aside, the challenge we currently face in processing security assessment questionnaires is the efficient and convenient sharing of relevant security information. There is simply no standard that suits all.
According to Whistic’s 4 Vendor Security Trends Whistic is Watching in 2022:
“Because every business and every industry have different security requirements, there will likely never be one standard questionnaire to rule them all—even if there exists a strong set of common controls across many of the top frameworks.
"But what is fast becoming the standard is the expectation that buyers and sellers alike should take a proactive approach to vendor security. Whether it’s customers researching or requesting security documentation at the beginning of the relationship or vendors sharing their security profile even before the initial discovery call, building the relationship on the foundation of trust and transparency is key.
"Variation and complexity introduced by differing assessment frameworks and question sets is just one piece of the standard-less puzzle. An acceptable format for sharing security information is a topic that routinely raises the passions of prospective clients, current customers, third-party assessment portal providers, and vendors alike. Reaching agreement about “which format” all too often involves someone’s rigid insistence that their preferred format that is the acceptable one.
I rather appreciate the following:
“Flexibility is key. Do not demand vendors respond to your questionnaire just because that’s the way it’s always done. Accepting a pre-completed standardized questionnaire will save your team time in the long run because you won’t have to chase down answers, you’ll already have them. They’ll just be in a different format. “(Whistic, 4 Vendor Security Trends Whistic is Watching in 2022)
What FWI | Poppulo is doing to improve sharing of security information
To better serve our customers, and to improve our own internal processes, our team is working to build out a security profile and design aimed to improve end-to-end sharing of security information. As part of that initiative, we are aiming to implement an intelligent automation tool to help with the increased volume of assessments received.
We’re also working to define a democratic (what’s good for one is not always good for all) Service Level Agreement that we hope will positively influence consensus for security information, not least for format and timeline to completion.
And by taking the first step early in the customer engagement process to proactively share security information to relevant customer-side stakeholders, along with continuously-updated supporting documentation, we’re hoping that the medicine (to paraphrase Mary Poppins) will go down a bit easier on both sides of the fence.