Even more vendor risk management techniques that your vendors will hate you for

I made an error of judgement.? I honestly believed that my previous two pieces had comprehensively covered the topic of bad vendor risk and security questionnaire practices, and that I’d then be able to put that subject to bed and move on to bigger and better things.? But, unbelievably, the last 3 months of customer requests has yielded more than enough material to warrant another entry in this series.

For those who had better things to do than to read my previous pieces, the items that I list below are things that you can do to your vendors that will drive them up the wall.? I’m not advocating these, nor am I responsible for anything that happens if you actually go and implement them.

Set arbitrary, unexplained deadlines

“Here’s a link to our questionnaire, you’re required to complete it by <unreasonable date>.? Communication is hard, so we’re not going to bother explaining this date, or whether there will be any ramifications for missing it.”

Yes, we know that the quicker we complete your questionnaire, the quicker we can move forward to a sale - we both have an interest in that and we do our best. But here’s the thing.? When you give us your questionnaire, we add it to our pile of customer questionnaires.? Often, that pile is rather large.? How the questionnaires in the pile get prioritised is going to vary from organisation to organisation. Some might prioritise by opportunity size, some might use a first-in, first-out system. Some might put them all into a hat, mix them up and pick one out to work on whenever someone is bored.? I’ll tell you what isn’t happening though: no-one is bumping yours up the list just because you gave a due date with zero context.? If you have some time constraint, tell us about it and we’ll do our best to accommodate requests that we find reasonable. But arbitrary, unexplained dates are ignored.

In my younger and more naive days, when presented with a due date, I would often inquire as to what would happen if we failed to meet it.? Invariably, the answer was “nothing, but it would be great if you could get it done by then”.? Eventually, I started to feel sorry for the people who were trying (and failing) to come up with some justification for the date that they often weren’t even aware of themselves.? I don’t bother asking any more.

Provide a questionnaire that requires an instruction manual

I recently received a customer questionnaire that consisted of two files: an Excel spreadsheet containing the questionnaire, and a PDF document explaining all the things you needed to know and do to be able to fill it out correctly. Obviously, that questionnaire went straight to the bottom of the pile.

You can imagine the sequence of events that would have led to this.? Someone decided to create a vendor security questionnaire in Excel, and over time, they added enough questions, validations and other macros to turn a simple list of questions into a ridiculously complex quasi-application that their vendors struggled to work with.? Then, rather than either simplifying what they had created or migrating to an actual questionnaire platform that would support everything they wanted to do, they instead made the decision to invest their time creating a document to make it possible for their vendors to continue using their bad solution.

Completing customer security questionnaires is difficult enough without having to worry about user interface issues.? If your questionnaire isn’t intuitive enough to be used without instructions, then don’t be surprised when you find that the vendors that you send it to are taking their sweet time to respond to it.

Make your questionnaire platform the vendor’s problem

Is it too much to expect that if I run into an issue while filling out a questionnaire on the customer’s chosen platform, that the customer should be the one to sort it out? I’ve had a number of recent experiences where I haven’t been able to figure out how to make the questionnaire platform do what it is asking me to do. Simple things that should be easy - in one case, for example, the customer flagged some of our responses and asked for additional information, but when we re-accessed the questionnaire, there didn’t seem to be any way to provide it.? In each of these cases, not only did the customer take some convincing that there was actually a problem, but some of them also seemed to think that we should be the ones who should be solving it.

Now I don’t expect anyone to be an expert in their customer security questionnaire platform, however, it is your organisation that chose the platform, it is your organisation that is asking us to use it, and if we run into legitimate problems, it is your organisation that should be finding a solution.

I had one particular customer suggest that I lodge a support ticket with the questionnaire platform vendor, and I had to hold myself back from pointing out that, first, we are not the platform’s customer, and second, that I have more important things to be doing than raising tickets for a product that we don’t use.

Ask your vendor to respond to random things you find about them on the internet

A good vendor risk management approach will include doing some initial research about the organisation before launching into a questionnaire.? But you can easily turn that good approach into a bad approach if you're not careful about it.

We recently had a prospective customer ask us about the remediation status for a couple of vulnerabilities identified in our product.? They provided a link to a record in an online vulnerabilities database for a software library that had a similar name to our product. Of course, we responded in a perfectly professional manner pointing out their error and assuring them that it happens all the time.? My memory isn’t what it used to be, but I’m almost certain that we didn’t include the word “incompetent” in our response.

Another prospective customer fired up one of those services that scans an organisation’s attack surface, pointed it at our product, and asked us to explain the findings, sending through a “report” that was entirely devoid of detail.? For reference, the findings were things such as “HTTP port open”.? If we wanted to actually know the server and port number they were talking about, we had to sign up to that platform.? We politely informed the customer that we were not provided with sufficient detail to be able to comment, and that we do, in fact, perform our own vulnerability scanning.

Poorly disguise an audit as a questionnaire

Ever had a prospective customer insist that they need to be able to periodically audit you?? Now I’m sure that there are organisations out there that can cater for this, and honestly, I applaud them and would love to swap notes with some of them.? However, I run a small team, customer security questionnaires are only one of our many responsibilities, we already have our hands full running several internal and external audits every year, and the reality is simply that facilitating ad hoc audit requests from customers is not currently an option.

(No, tooling vendor salespeople, I don’t want you to reach out to solve this problem for me.)

Well, if you’re a customer, it turns out that there is a strategy for getting around this.? Simply ask the vendor to complete your “security questionnaire”.? Except that, when they take a closer look, they find that your security questionnaire is actually an audit wearing a trenchcoat and fake moustache.? Sure, it starts innocuously enough (Question: “Please describe the service being provided.” Response: “What, you don’t know what you’re buying?”), but soon you get to the screen that asks you to upload 50 documents, including screenshots of things like cloud service configurations and lists of staff who have access to production environments.

Make the vendor do your job for you

The point of the whole vendor risk dance is for the customer to determine whether the vendor provides the service in a way that is consistent with the customer’s risk appetite.? The vendor risk analyst’s job is basically to determine whether the vendor in question meets a whole heap of what are effectively compliance requirements, with those requirements originating from the customer’s information security policy and standards.? And the way that they typically do that is to request and review things like vendor SOC 2 reports and questionnaire responses.

Some very clever risk analyst figured out that, as long as the vendor wants your business enough, not only can you get away with not reviewing any collateral that the vendor has put together (which I commented on in my first article), but you can also get away with simply sending out a “questionnaire” that is the exact list of compliance requirements that you’re trying to check off.

We recently received a questionnaire where every “question” started with, “The vendor must…”, and the responses were all simply “Yes/No” to indicate whether the vendor met the requirement.? I’m still not sure whether this is brilliant or stupid.? On the one hand, by asking the vendor to directly address their compliance requirements, they’re getting rid of the layer of “translation” that would happen if they were asking more normal questions.? But on the other, since every “question” is phrased as an obligation, the vendor responding to them will be careful to provide conservative, “legally appropriate” responses, which may not result in the best risk outcome for the customer.

Assign risks to your vendor to remediate

I’m sure you’ve all seen this one.? You finish and return your customer’s questionnaire, maybe there has been a subsequent email exchange discussing a handful of clarifications, and then communication stops and you leave it to your sales rep to close out the deal.? You close the ticket because, from your perspective, it’s done.? Two weeks later, you receive an email from risk-platform-you’ve-never-heard-of.com saying that the customer has assigned you a risk and that you should log in to review it.? No forewarning from anyone on the customer side; just an email message out of the blue.

Honestly, I love the optimism on display here.? First, the idea that you can assign someone from another organisation risk remediation work is amusing to no end.? I don’t know about you, but I have enough work on my plate to keep the next few generations of my family busy, so you’ll forgive me if I don’t jump right on some work that has been “assigned” from someone outside of the organisation that pays my salary.? Second, I love the idea that the poor person who happened to be given your questionnaire to complete is somehow also in a position where they are able to uplift whatever product “deficiency” it is that you identified.

On occasion, your sales rep will reach back out six months later to tell you that the customer is following up on how the risk is going.? The correct way to respond to this is to ask, “sorry, who said that we’d do what by when?”, and that is almost always the end of that conversation.

I’m going to deviate from my usual cynicism here and say something actually somewhat useful.? Pro tip for customers: you’re responsible for your risk appetite and for managing your risks.? If the security posture associated with a particular third-party product is outside of your appetite, then you have several options open to you:

• Manage the risk on your own side (e.g. limit the scope and/or sensitivity of information being shared)
• Work with the vendor to bring the product within your appetite
• Find an alternative product that does meet your appetite

Note that “working with the vendor” involves discussion amongst respective decision makers, strategic alignment, agreement and commitment.? It typically involves contractual provisions or a memorandum of understanding.? Simply assigning a risk to a random staff member in another organisation is not managing your risks - it? just guarantees that you’re going to have an open risk in your register for a long time.

Postscript

Honestly, I hope that this is the last one of these that I write.? Somehow, I doubt that will be the case - it seems that every time I think I’ve seen it all, some new vendor risk practice pops up to frustrate me.

Again, please don’t actually use any of these techniques - our jobs are challenging enough without people going out of their way to make them harder. Be a good human - have some consideration for the poor questionnaire responders.