While ISO/IEC 27000, the NIST Cybersecurity Framework, the Shared Assessment SIG, Cloud Security Alliance CAIQ, the Center for Internet Security Top 20 and other standards now prevail in the cybersecurity industry, the third-party risk management discipline is still fragmented in its methods. Security risk in the supply chain has increased exponentially given complex, often global supplier networks, mounting cyberthreats and increased government regulations.
In trying to keep up, companies have implemented lengthy vendor assessments that regularly prove burdensome for their internal teams to manage. They’re also onerous for suppliers, which must respond to similar questions asked in slightly different ways by every company they sell to. That muddies data collection and makes a consistent cross-industry evaluation difficult to impossible.
For instance, during some recent research exploring hundreds of security assessment questions, my firm discovered 10 iterations of a basic question asking if a supplier conducts penetration testing! Considering questionnaires can have hundreds of questions, it’s easy to see the scope of the challenge.
A natural response would be to seek a set of standards for use in creating and implementing third-party risk assessment instruments. For example, the Shared Assessments Program, a global membership organization focused on best practices for third-party risk assurance, has created a useful tool with its Standardized Information Gathering (SIG) Shared Assessment. The SIG offers a great starting place for assessing risk management across 18 service provider business domains, using a common taxonomy for hundreds of questions.
The benefit of this and similar resources is that they are created by experts who evaluate a huge set of questions, intake a breadth of third-party risk management expertise and codify it. They apply an industry-agnostic, global perspective. They also continually update question banks as new information is uncovered and analyzed. Because it’s their core business mission, the output is high-quality, comprehensive and likely better than any company could do on its own.
As valuable as this resource can be, organizations still often modify standard SIG questions to apply their own terminology or otherwise adjust them to meet their specific risk appetite. That exacerbates the inconsistency problem.
The pentesting question dilemma is a prime example. Assessment questionnaires not aligned to a standard framework require those completing the assessment to stop, read, understand and interpret a question for any nuance contained in it. Perhaps there’s even a follow-up question included. This takes time and may actually increase errors.
Instead, given the availability of rich standardized tools and expertise, it’s far more efficient for all concerned if organizations customize the way they apply standardized questions, mapping them back to their specific organizational risk threshold. For instance, think through which of the 18 SIG domains applies to your unique situation and select standard questions that align to your corresponding areas of risk. There are hundreds to choose from.
For those who insist that customized questions are necessary, consider standing in the vendors’ shoes. Read your entire assessment questionnaire and honestly consider your reaction if you were told to complete it. If you’re not willing to fill it out, it’s the wrong thing to be sending.
What’s more, the vendor cost burden is already prohibitive. Buyers who make the process too complex and consequently too expensive stand to drive away the best vendors, which will look for paths of less resistance. Those that do stay with you will pass the costs back to you in some other form.
It ultimately comes down to time, cost and sanity. Given the extensive supply chains that so many businesses depend on, yesterday’s system no longer works. Third-party security assessments will remain a critical part of effectively managing the security risk that’s inherent in the supply chain—but critical doesn’t have to be complicated. Instead of recreating the wheel, embracing tools already available will help all of us reach the same objectives, improve efficiencies and secure the interdependent global business ecosystem.