Risk Management July 12, 2018
By Kevin Beaver 3 min read

It’s such a great feeling to check a box on your vendor security checklist. You establish a relationship with a third party — check! You meet another regulatory requirement — check! Once you’ve marked down every item and an audit turns up a clean report, the sales deal is done.

All parties involved can then go merrily on their way… until a malicious actor uncovers a security flaw that was overlooked amid all the handshakes and paperwork that went into the deal.

This security approach is especially prevalent in vendor management: One side says all is well — and the other takes this claim at face value without vetting it. This approach is not good for security, and it’s certainly not good for business.

Navigate Common Vendor Security Roadblocks

The most common (and dangerous) approach to vendor security happens when a company asks a third party for a copy of its latest vulnerability assessment or security operations center (SOC) audit report. Many people go through the motions to obtain these reports and check the box without considering how both documented and undocumented issues truly impact security.

In some cases, people are willing to look the other way or make dangerous assumptions — they’ve got to keep the business going, after all. Then, there’s the reality beyond the report. Clean reports, especially around SOC audits, are common. If there are any findings, it’s often an administrative issue related to user account management or data backups, but nothing of real substance that’s going to facilitate an incident or breach.

It’s also common for vendors to provide more in-depth vulnerability and penetration testing reports that are clean (or, at least, have minimal areas of concern). These reports are often based on network vulnerability scans that do not look at the entire IT environment — not an in-depth web application analysis.

When presented with these reports, it’s easy to overlook things like missing patches on workstations, SQL injections on web applications and misconfigured guest wireless networks. Instead of acknowledging these patch-management and security-awareness gaps, many business leaders just move on to the next big thing and sweep security under the rug.

When Talking Security, Don’t Beat Around the Bush

When it comes to security, there’s often a lack of ongoing involvement and oversight. It’s obviously important to keep the business running, but too many decision-makers assume security controls are sufficient to counter cyberattacks simply because someone else told them so.

It’s good to maintain a positive relationship with your vendors, but not at the expense of long-term cybersecurity.

It’s similar to a doctor giving a patient a clean bill of health even though he or she is masking symptoms with medication. Although the bloodwork may look good, the patient is bound to have long-term health problems unless he or she makes better lifestyle choices. Many security programs follow the same path — especially when it comes to vendor management — and it’s a recipe for an unsustainable outlay of data breaches.

Part of the challenge is that people are sometimes afraid to ask questions. They want to appear professional and nice, and this often causes them to gloss over uncomfortable subjects — namely, security. It’s good to maintain a positive relationship with your vendors, but not at the expense of long-term cybersecurity. This seems simple on the surface, but when organizational politics and high-value business deals are involved, everything gets more complicated.

Adopt a Trust-But-Verify Approach to Vendor Management

Vendor management is a hot topic today — and one that many enterprises struggle with. It doesn’t have to be terribly complicated, but it does have to be near the top of your information security program priorities. While it’s important to do right by your vendors, it’s more crucial to do what’s best for your business. That means looking beyond the paperwork, basic vulnerability checks and blind faith that the company is secure simply because someone else said so.

The best way to handle vendor security is through the old-school approach of trust but verify. Talk is cheap — and people are expedient, especially when big business deals are on the line. Try to step back and see through all the talk to truly understand what your vendors are doing.

When the going gets rough and the lawyers get involved, that’s the only defensible strategy.

Listen to the complete podcast series: Take Back Control of Your Cybersecurity now

 |  |  |  |  |  | 
Kevin Beaver
Independent Information Security Consultant

More from Risk Management
September 26, 2023

The Growing Risks of Shadow IT and SaaS Sprawl

4 min read - In today's fast-paced digital landscape, there is no shortage of apps and Software-as-a-Service (SaaS) solutions tailored to meet the diverse needs of businesses across different industries. This incredible array of options has revolutionized how we work, providing cost-effective and user-friendly tools that streamline tasks and boost productivity. However, this ever-expanding application ecosystem comes with its challenges: namely, shadow IT and SaaS sprawl. According to a recent study by Entrust, 77% of IT professionals are concerned about shadow IT becoming a…

September 25, 2023

Are you ready to build your organization’s digital trust?

4 min read - As organizations continue their digital transformation journey, they need to be able to trust that their digital assets are secure. That’s not easy in today’s environment, as the numbers and sophistication of cyberattacks increase and organizations face challenges from remote work and insider behavior. Digital trust can make your organization’s digital transformation stronger. A lack of digital trust can do irreparable harm. However, according to ISACA’s State of Digital Trust 2023 report, too many organizations struggle to define and implement…

September 21, 2023

Most organizations want security vendor consolidation

4 min read - Cybersecurity is complicated, to say the least. Maintaining a strong security posture goes far beyond knowing about attack groups and their devious TTPs. Merely understanding, coordinating and unifying security tools can be challenging. We quickly passed through the “not if, but when” stage of cyberattacks. Now, it’s commonplace for companies to have experienced multiple breaches. Today, cybersecurity has taken a seat in core business strategy discussions as the risks and costs have risen dramatically. For this reason, 75% of organizations…

September 20, 2023

How IBM secures the U.S. Open

2 min read - More than 15 million tennis fans around the world visited the US Open app and website this year, checking scores, poring over statistics and watching highlights from hundreds of matches over the two weeks of the tournament. To help develop this world-class digital experience, IBM Consulting worked closely with the USTA, developing powerful generative AI models that transform tennis data into insights and original content. Using IBM watsonx, a next-generation AI and data platform, the team built and managed the entire…

© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature