Vendor security questionnaires were always discussed with an eye roll when I started in this field in 2008. We assigned an analyst to address the concerns of our partners. We also assigned a security architect to send our security questionnaires to our growing list of vendors. In most vendor relationships, we represented the 800-pound gorilla because of the size of our healthcare system. We had the leverage to ask our vendors to complete our manual security questionnaires annually. It could be a smugly satisfying job for someone with the right mix of architectural skills and a desire to go head-to-head with the vendor’s security analyst.
We all knew it was crap. Don’t get me wrong. On an ad-hoc basis, we ensured our vendors weren’t clueless about security. Our vendors benefited from having a wire brush taken to their architectural diagrams. But it wasn’t a sustainable arrangement. The process didn’t scale. Most of the time, the answers we received painted an overly rosy picture. We constantly asked ourselves, “Why can’t they just answer the question more directly?” or “Why did they just copy and paste their answers?”
Today, I know why those vendors copied and pasted answers. I sit on the other end of the table. I support a solution provider, and we are inundated with one-off security questionnaires from our customers. Each questionnaire is just slightly different enough from the others we’ve received to be irritating. Each request for a response to the questionnaire underestimates how much work it takes to reply to the hundreds of questions we receive each month. Each question implies that we could lose their business if we don’t answer correctly. I am amazed that business is still being done this way. Sitting on this side of the table, what is clear is that responding to custom, manual security questionnaires for each client doesn’t scale in the face of our increasingly complex supply chains. And in 2023, it shouldn’t have to.
Alternatives to the Manual Questionnaire Insanity
There are alternatives to the custom security questionnaire that have been brewing for some time. Let’s look at two of them. First, a certification validated by an external party should suffice most of the time. The age of cloud services has brought with it an increase in reliance on the SOC 2 Type II certification. This is an ideal model for a large-scale vendor network. The service provider answers security questions and undergoes an external security audit once a year. This is a model that should probably cover 80 percent of requests. The arrangement relies on trust in external auditors and the certification framework. Not having trust in that framework or external auditors, no trust at all, is expensive. Not having trust means too many hours of multiple security staff reviewing manual, one-off Excel spreadsheets.
The second alternative to the custom security questionnaire is the industry-standard questionnaire. Examples of these include the SIG and the CAIQv4. Both are comprehensive. The questions within them should again suffice 80 percent of the time.
A new solution type has emerged to aid in distributing these certifications and industry questionnaires. You can post your certification or SIG responses to web applications like CyberGRX, Tentacle, Vanta, or Whistic. These solutions help ensure all required documentation is available for those with a verified need-to-know.
These two alternatives are so vastly superior to managing custom questionnaires from each vendor that it really isn’t a question of whether they should be used but when. The trick is knowing under what circumstances to break an automated process and request a deep dive from your vendor. This is a risk management exercise, one that should definitely take into account the ways threats traverse supply chain weaknesses for access to bigger fish. Regardless, a custom security questionnaire should be the exception, not the rule.
As I’m doing my own due diligence of new vendors, I have a handful of questions. If the vendor has a SOC II Type 2, that is good enough for me if they aren’t managing sensitive data. If the vendor manages sensitive data, I ask for a data flow diagram and standard industry questionnaires. If they can produce those, once again, I’m good. I ask for a meeting in those rare cases where I need further assurance.
Overall, the situation has improved over the last 15 years. Hopefully, security teams will continue to take advantage of these common-sense tools. However, there is an alternative universe where security teams continue to issue custom security questionnaires despite more efficient alternatives. In this alternative universe, the security questionnaires are never-ending and impossible to answer fully. The whole process is part of a game of security liability hot potato to be used as ammunition in some imagined eDiscovery exercise in the future. The process is reduced to security theatre. That would be a shame. That couldn’t happen, could it?
Mentioned Resources:
SIG by Shared Assessments: https://sharedassessments.org/sig/
CAIQv4 by the Cloud Security Alliance: https://cloudsecurityalliance.org/research/cloud-controls-matrix/
CyberGRX: https://www.cybergrx.com/
Tentacle: https://tentacle.co/
Trust Page by Vanta: https://www.vanta.com/
Whistic: https://www.whistic.com/