Yet more vendor risk management techniques that your vendors will hate you for

Unbelievably, the last few months of banging my head against my desk has yielded enough content to make a fourth instalment in my series on questionable vendor risk assessment techniques.? If you’ve missed them, feel free to take a few minutes to read through the first three parts.

Send every form to the vendor

The vendor wants your business, and they will be more than happy to complete any form or questionnaire related to the procurement, even those meant for the customer’s staff to fill out.

I mean, I get how this happens.? You want to purchase a SaaS product, so you engage your procurement team, who give you a couple of questionnaires to complete - one for you, and one for the prospective vendor.? You look at the two questionnaires and don’t understand either of them because the one meant for the vendor is full of information security lingo, and the other one asks other things that you really don’t know about.? You think, “this isn’t my day job”, and pass them both on to the vendor to fill out.

As a vendor, it’s easy to quickly identify these questionnaires, as the questions are about risk and internal process rather than about information security.? You get questions such as “Approximately how many users will the system have?”, “What is the classification of data shared with the vendor?”, and "What would be the impact if the vendor service was unavailable for 72 hours?".? I’ve even seen one that had a question along the lines of “Has this procurement request been approved by (some internal team)?”, followed by a number of questions about what that team had said.

The other variation of this, which I seem to be coming across with increasing frequency, is the questionnaire where it is clear that the author really doesn’t know that different questions should go to different audiences.? I’ve commented on this previously. The current record on my team is a security questionnaire where we responded to 10 out of 90 questions with, “This is for the customer to answer”.? Amusingly, this particular customer subsequently challenged us on these responses, insisting that we answer them ??

Everything must be explained in the comments

Your vendors want to express themselves in your questionnaire, and your “Yes/No” questions are cramping their style.? Help them out by requiring that your vendors provide explanatory comments, even for questions where comments are clearly not appropriate.

Below is a real example from a questionnaire that I worked on a while back.? It isn’t obvious from the image, but the comment was mandatory.

Any thoughts about what sort of comment the customer would be expecting a vendor to provide here?? Certainly had me baffled.

I really don’t understand questionnaire designers who do this.? Either they have done it inadvertently, which means that they never bothered running through their own questionnaire, or they’ve done it on purpose, in which case I think they may have chosen the wrong line of work.

Congratulations! You’ve made it to the second round!

Your vendor security assessment process is a closely guarded trade secret.? You don’t want to lose your substantial competitive advantage in vendor risk management by revealing any more of your process than is required.? Do not, under any circumstances, tell your vendors what they should expect in advance.

This mantra seems to be a favourite of large companies - I’ve seen it multiple times from multinational financial organisations.? You complete and return their questionnaire, only to find that it was only the first “qualifying” questionnaire.? They don’t bother telling you how many rounds there are before you get the prize.

I recently worked on a questionnaire from a well-known investment bank - I won’t name them to protect the guilty, but for the sake of the story, let’s just call them “Old Man Zach’s”.? Their questionnaire was surprisingly reasonable - less than 70 questions long.? Once it was done, I moved on with my life and promptly forgot about it.? Three weeks later, we received their “follow-up questions”.? There were around 250 of them, and looking over them, it was quite clear that they were in no way follow-ups to our responses, and were really just the actual questions that they wanted to ask.? Honestly, I was just puzzled.? Why didn’t they just send us that set of 250 questions in the first place?? It would have saved me a week and cut down the process by a month.

(This story, all names, characters, and incidents portrayed in this article are fictitious.? No identification with actual persons or organisations, past or present, is intended or should be inferred.)

Use abbreviations that only make sense in your native language

Brevity is the soul of wit, or something like that.? In this vein, make liberal use of abbreviations, acronyms and initialisms, particularly when they will only make sense in your native language.

OK, before I dive into this one, I want to make it clear that it’s my position that any organisation should be able to write their questionnaire in their native language, and that if a vendor wants their business enough, they will figure out how to complete it.? I’m in no way suggesting that English should be the language of vendor risk.

(In fact, if you have read some of my other musings, you'll know that I think that human languages should be taken out of vendor risk management altogether.)

So, with that out of the way, for mercy’s sake, if you’re going to refer to something using its shortened form, unless that shortened form is widely recognisable regardless of language, please, please write the term out in full the first time you use it and suffix it with the abbreviated form in parentheses.? After that, use the shortened form as much as you like.

A few months ago, we received a questionnaire from a prospective customer who was headquartered in France.? Obviously, the questionnaire was in French, which led to what I can only imagine must have been a rather amusing sight as I had the questionnaire up on my monitor and was trying to understand it via the real-time camera image translation function in Google Translate on my mobile phone.

About 20 questions in, I came across a question which asked whether we had a “SSI certification”.? Googling for “SSI certification” led me to something to do with scuba diving, which, after some consideration, I decided was probably not what they were wanting to know about (though to be honest, I still wasn’t really sure).? After tearing my rapidly thinning hair out for a bit, I found myself staring blankly at the original French version of the questionnaire, when my eyes came across the term “Sécurité du Système d'Information”.? If they had just suffixed that with “(SSI)”, it would have saved me half an hour.

Don’t update your questionnaire for decades

Vendor risk management is timeless.? Version 1 of the security questionnaire that you created 20 years ago was perfect back then, and it still gets the job done now, so why bother updating it?

It always makes me chuckle when I run across a reference to “mainframes” in a security questionnaire.? I mean, I know perfectly well that mainframes are still in use, but the fact that you’re specifically mentioning them in your security questionnaire tells me that your questionnaire was probably written around the time of the dot com bubble, and that you’ve been checking exactly the same compliance checkbox over-and-over ever since.

I recently came across a question that asked whether customer data could be accessed on mobile devices, and then in parentheses, gave the examples “phones, tablets, PDAs” (emphasis mine, obviously).? I had two thoughts simultaneously: first, that there are probably some young people working for the company that puts up with me making these rants on LinkedIn who have no idea what “PDA” stands for (at least, in the context of that question), and second, I wondered whether my old Palm IIIc could even connect to a modern network.

Make your questionnaire disproportionate to your spend

Your vendor does not value their time - they exist to serve you, and they will fall over themselves to satisfy your every whim.? Money is not important - they will do it for the satisfaction that it brings.

OK, I recognise that the information security risk associated with a vendor isn’t going to be correlated with the spend in any way.? Risk is risk, and you need to get some form of assurance that the vendor is managing it.? However, if you’re hardly spending anything, then please try to hide your astonishment when the vendor turns around and declines your request for them to complete your 200 question questionnaire.

Here’s a free tip.? Your vendor has likely made available some security resources for those customers who aren’t spending a large amount of money.? Read them.? Nothing annoys a vendor more than a customer that is not spending a substantial amount who won’t even bother reading through their materials to get the answers themselves - it just screams “my time is more important than yours”.? If you still have questions after reading through their resources, ask them whether they wouldn’t mind answering a handful of them.? Pick your top 5 questions.? If you’re lucky, they’ll agree and answer them, and you should be thankful.? And all those other questions that you have?? Sorry, but that’s risk that you need to manage.