There are at least four scenarios in which IT security questionnaires fail to help mitigate the unauthorized access to data. Although this first scenario was introduced in the prior post, understanding all four can uncover new ways we might manage this risk and support IT system contractors.
Vendors’ Responses are Often Highly Subjective
Every vendor completes a large number of IT systems questionnaires every year. Moreover, different people inside any one vendor are likely to be assigned to complete questionnaires associated with different projects. This can, and does, result in wide range of responses by the same vendor to the same question for different projects. For example, a very commonly used question is: “Have you participated in a cybersecurity exercise with your senior executives?” The intention behind this question could be to determine if the vendor is prepared to respond to a cybersecurity incident in which the vendor’s system is involved. But the vendor’s respondent, or team of respondents, rightly or wrongly thinks that his or their employer would never be involved in responding to a cybersecurity incident for that customer, but did spend 15 minutes in a company-wide meeting discussing cybersecurity. Thus, the vendor might answer “yes”, or “no”, or even “N/A”. In any case, the response to this question, and many others, result in more questions than it answers. One of the biggest questions, for me, is how does a questionnaire enable me to know what security controls that vendor will use when its personnel are touching my client’s system or my client’s data?
Responses of IT Security Questionnaires are Seldom Verified
Verifying the responses to an IT security questionnaire is difficult. At best, there can be a meeting of the customer and vendor, following receipt of a completed questionnaire, to discuss both the questions and responses. It is entirely feasible that you can obtain a general impression of the accuracy of many of the responses, but it is a rare vendor that will devote the resources to an intensive, on-site assessment of its own IT security practices. For example, a commonly asked question is, “How frequently do you train employees to store sensitive customer data on an encrypted thumb drives?” If the vendor claims its personnel are trained semi annually and presents an outline of the training, you are left with little recourse. You cannot comfortably verify this response, even if you asked for attendance records or copies of the invitation. Moreover, the questionnaire does not even address the subject of storing data on a thumb drive. That would require its own question, and how might one verify the response to that second question. In this way also, IT security questionnaires are a kind of dead end when it comes to enabling you, the customer, to know what security controls the vendor will use when it’s personnel work on your systems.
A Questionnaire Represents a Snapshot in Time
Questionnaires are used to get a sense of the security measures and protocols that your vendor has in place at the time the questionnaire is completed. Presumably, you will request that a questionnaire be completed when you are first considering awarding a contract to a vendor. After that, you may request additional ones annually. In any case, there will be a substantial period of time each year when you do not know for sure what cybersecurity practices remain in effect and which were discontinued, or perhaps worse, outsourced and now performed by a third party you are not even aware of. It just might be that your vendor is now storing sensitive data, such as your administrators’ logon credentialsor payroll data, with a third party you know to be vulnerable. Again, one of my biggest concerns is how does a questionnaire about vendor’s internal security program enable me to know what security controls will be used by that vendor’s personnel when they are touching my client’s system or my client’s data?
It is Difficult to Make Use of a Completed Questionnaire
Applying a completed questionnaire to cybersecurity concerns is a very difficult task, because a course of action is seldom obvious. It is rare that a set of poor, or undesirable responses to the questionnaire will simply result in the dismissal of an otherwise capable vendor, especially if that vendor is well liked by the management of an operating unit. How much effort and controversy might arise from an effort to establish an agreed-upon course of action that both parties might pursue to remedy a poorly completed questionnaire? Remember, the purpose of the questionnaire should be to assess the impact on the security of your systems and your data that might result from the vendor performing its services for your company. In this way, IT security questionnaires are too blunt, too ill defined and too weak to meet today’s cybersecurity threats.
Despite the usefulness of IT security questionnaires in connection with SOX and other regulations, their general use for today’s cybersecurity threats is misguided and inadequate to say the least. It is a new day, with new cyber-specific concerns that require a new solution, or at least a new approach.
Comments are encouraged and welcome from all parties as I hope that together we contribute to improving the work product of this commonly overlooked group of IT vendors..
You are invited to follow upcoming posts discussing Dark Side:
- “Statement of Net Worthiness” and the Cybersecurity Protocol
- Big back doors and IT system contractors
- A cybersecurity hygiene tailored for each vendor: The new approach to supporting IT system contractors
- Steps to improve your vendors’ cybersecurity hygiene at vendors’ Expense
- Building the cybersecurity hygiene using vendors’ line card and markets served
- The role of a fractional CISO that is dedicated to each vendor
- Two ways technology design consultants can participate in vendor cybersecurity