Last week, Larry Kinkaid, cybersecurity consulting manager at BARR Advisory, and Josh Schmidt, vCTO, sat down for an in-depth conversation on the nuances of vendor risk management, with a specific focus on the shortcomings of security questionnaires.
Kinkaid and Schmidt began by explaining how security questionnaires became such an essential part of the current vendor management process and why they may not always be effective.
“Essentially, it’s an effort to establish trust. It started as companies attempted to verify that their vendors are following their policies,” said Kinkaid.
“Security questionnaires provide a few basic functions,” Schmidt explained. “To establish trust and also to establish a paper trail of the security posture of the potential vendor. The effectiveness of the questionnaire directly relates to how intentional the asking party is in aligning with the core objectives of their vendor risk process. If they are just presenting very broad questions that aren’t relevant to the industry the vendor is in, then you’re often not getting very effective questionnaires.”
As security practitioners, both Kinkaid and Schmidt have extensive experience both filling out security questionnaires and sending them to vendors themselves. They discussed best practices for both sending and receiving questionnaires, and highlighted the best tools that can simplify the questionnaire process.
“I’ve found that the best companies only ask the needed questions and they don’t force you to needlessly duplicate answers. They should relate directly to the frameworks and standards that are relevant to the company. They should also allow for commenting on answers. Sometimes the question in some way is not relevant or you can’t answer it due to your only policies. Allowing companies to explain is an important part of the equation,” said Schmidt.
After discussing the shortcomings of security questionnaires in the vendor risk management process, the pair then provided in-depth solutions that practitioners can put into action today, including evangelizing trust centers and other standardized documentation, understanding your customer expectations, and leveraging frameworks, especially trusted third party audited frameworks like SOC 2 and HITRUST, to bypass the ad-hoc controls of vendor risk assessments.
To learn more about vendor risk management and security questionnaires, watch the full conversation in our on-demand webinar.
Interested in strengthening your organization’s vendor risk management strategy? Contact us today.