Are you thinking about Vendor (3rd Party) Security Assessments? Aspirations to build onto your Vendor Security Assessment program? Why wouldn't you -- you go through all the effort to secure your own business or corporation only to send you data to a trusted third party to have them lose your data for you. Or better yet, your Vendor gets breached and they become a pivot point which bad-guys can hop onto your network -- case in point, the famous Target breach.
Vendor Security Assessments are usually an area for improvement for most security shops. However those same security shops barely have enough security bodies to put out internal fires never mind assessing the security posture of Vendors. Because of this I often see Vendor Security Assessments passed over by Security teams or they only conduct a "kick the tires" type of assessment.
Vendor (3rd Party) Security Assessments are very important and more importantly they help you build a better enterprise security program. Here's how they help you build a better Security Program:
Vendor Security Assessments are best done BEFORE you establish a vendor relationship. Once your vendor has a signed contract and they are connected to your network or sharing data it's going to be very hard to get them to self-select the correct security behaviors especially if security investment is involved. In order to do a Vendor Security Assessment before a vendor relationship is established, a Security team should be establishing relationships with their business peers so that their business peers will include Security during business and contract negotiations. Often this an opportunity to ensure your vendors make the proper security investments and are good custodians of your data BEFORE a contract is signed. This is a fantastic way to drive awareness of security throughout the company and help to establish relationships to push the security agenda forward.
Vendor Security Assessments get people talking about risk management. If you've done a security assessment before you know there are always findings, sometimes those findings are cost prohibitive for your vendor to fix but you still need them to do business. This gets people talking about risk, finding a common definition of risk, and discussing how much risk they'd accept in order to do business. If the Security is tied into your Enterprise Risk Management Program (and it should be), the practice of talking about risk will absolutely up-level the quality of Enterprise Risks once you give everything time to soak in.
Security Assessments always have findings. If you are doing Vendor Security Assessments you should be conducting some remediation activities and following up to make sure your vendors remediate security deficiencies. This is good for a couple reasons - namely it lets your vendors know your company takes security seriously, it's also a good practice for Security staff to work on various soft-skills that make them great Security Operators.
Vendor Security Assessments can be complex. Conducting security assessments of vendors and partners can be very involved, and no matter how mature of checklist you have there's always a twist or interpretation required for a security control. This makes for stronger in-house Security Analysts or Security Engineers, and when the time comes for them to assess internal designs, or submit security requirements they will be more proficient at the task from having extensive Vendor Security Assessment experience.
Justin (he/him) is the founder and CEO of NuHarbor Security, where he continues to advance modern integrated cybersecurity services. He has over 20 years of cybersecurity experience, much of it earned while leading security efforts for multinational corporations, most recently serving as global CISO at Keurig Green Mountain Coffee. Justin serves multiple local organizations in the public interest, including his board membership at Champlain College.