How to torture your suppliers with privacy and security questionnaires…

Well, here is one way to kick start the economy… job creation for everyone!

A thousand paper cuts by 3rd party vendor privacy and security risk assessment questionnaires, becomes a great reflection of infosec teams sending them out as much as it is for the recipient(s) painfully responding …

How much do you actually hate your suppliers..?

There is a fine balance between assuring security and a pragmatic amount of supporting paperwork 🙄

After spending a good portion of pandemic 2020, intimately reviewing over 968 privacy and security controls. I found myself opening a Pandora’s box that lead me to dumpster diving into AWS and Azure platforms 🤦‍♀️ about as fast as Google and the platforms could enlighten me. 👀

Helping executives get across GDPR, ISO27001, PCI-DSS, CIS, HIPAA/HITRUST, NIST, the Australian Privacy Act (undergoing legislative review), and others making up almost 100 frameworks and standards for compliance around the world... What else do you do in a pandemic right? 🤷‍♀️

Privacy down under is going European, and reaching for gold!

I started to write this when I hit the point of dissolution very quickly, shortly after responding to the first dozen or so comprehensive questionnaires (between 40–160 questions each)… and it dawned on me that the cost of compliance could seriously bankrupt businesses, especially SMBs.

At first, I couldn’t work out if the client wanted to buy the company as the questions were closely related to what I would do for part of an M&A due diligence 🧐 (I will share this in a future article ‘Are you buying a tech lemon’ 👀) Then I realised that there is a disconnect between the customer’s business stakeholders and their Infosec teams as they often don’t target their assessments to the service they are actually seeking to procure.

The sheer volume and types of questions being asked of vendors through 3rd party privacy and security risk assessments give insight into how organised/dis-organised and/or considerate corporate InfoSec teams are. One wonders, which side of the fence most of the due diligence should be on? 👀🙈

General industry feedback indicate that executives are passing the buck and strangely handing anyone in IT to answer compliance’s questionnaires….

Now, just because resources are in ‘IT’, it doesn’t mean they are the best people to respond to these questionnaires, as there could be business implications beyond specifically securing technology… justSaying! 👀

And it begs the question… who should bear the cost..? the client requesting the burden of compliance proof, or the supplier providing product/services, or should some of this perhaps be subsidised by government ?🤔

After all, it’s in everyone’s best interest to harmonise these standards and it’s compliance, as the weakest link to unravel the supply chain could also be the small business that will not have the funds to meet compliance requirements.

Some companies appear to just hit export ALL questions and throw the textbook across for a catch-all approach 🤦‍♀️ with InfoSec teams on both sides quickly becoming buried in tactical items that don’t actually protect data, customers, partners, or key stakeholders.

Perhaps a pragmatic (and least time consuming work) approach could be to first understand the data flow, in order to narrow down exactly what is needed to secure information assets and that data flow 🙄.

✅ IMO… Narrow the scope as quickly as possible! Save the headache, time, admin, and ultimately cost implications to both businesses…

If you are a corporate or government organisation, there’s merit in re-evaluating the volume of administrative overhead your Infosec teams are getting themselves into and your vendors. (Unless you just want to create job security to justify added costs 🤷‍♀️)

What to ask for? What to give?

1. One size does NOT fit all … and it isn’t free, for either side... Understand your own environment, what is managed in-house? If you have an internal infosec team, walk them through the vendor/partner solution. They are not clairvoyant.. 🔮
2. What is actually relevant and in-scope for the assessment? What data will actually be assessed? What compliance programs are you trying to align to? (GDPR, HIPAA, NIST, Australian Privacy Act, PCI-DSS, ISO27001. etc.) What roles are each party playing i.e., data controller vs. data processor
3. Details are in the Data. How will the data flow from beginning to end? When you are clear about this, you will narrow the scope very quickly, reduce confusion and not waste time and effort. Remember that the entire vendor assessment process revolves around keeping data safe.. (unless you are conducting due diligence to acquire the company or the product)
4. Know the difference between the supplier’s corporate network vs. the product platform on offer and relevant to the service they are providing. An entirely SaaS solution independent from the corporate network could mean you should focus on where your data is being transmitted to, accessed, or stored.
5. A demo saves time and your sanity in reading endless questions and responses … think in terms of 20 mins vs. 2 days or even 2 weeks …

If you are in a position of power, you have 2 choices:

1. Turn the blind eye and let job creation naturally take its course… grab popcorn and watch the chaos 🍿, emails filling up inboxes, everyone scrambling for documents living everywhere … 🤦‍♀️
2. Streamline the headache, there are tools and platforms which will considerably reduce process, paperwork and auditing, ensure you don’t have material living everywhere across staff laptops, emails, shared drives etc.

Hit me up to save time, costs, headache and meet compliance obligations as painlessly as possible ..

About me: I have 20 years of experience with a privacy & cybersecurity focus in Information, Communications, and Technology providing advisory and assurance to enterprises and government. Feel free to connect with me on LinkedIn or drop me a message.