We often speak to businesses struggling to pass a cyber security assessment from one of their key clients. The business has received a huge spreadsheet with 100+ cyber security questions, many of which they have no idea how to answer. If they don’t “pass” the assessment, they may lose the client entirely. Sometimes it is a new business, but just as often it is an existing customer who suddenly needs validation of your cyber program. This sometimes creates a real sense of panic for the business trying to pass the assessment.
In this article we present some basic rules that will help you (the company being evaluated) manage the cyber vendor assessment process and dramatically increase you chances of passing. These rules are based on our experience at Information Shield of helping over 100 organizations successfully pass vendor risk assessments. So let’s get started!
Rule 1: Your customer WANTS you to pass!
Yes, the people who sent you the impossible list of questions actually want you to pass. In some cases, you are a critical vendor of a critical project that your customer has undertaken. For example, it is common for a cyber vendor assessment to take several months and hundreds of man-hours of effort. Some as long as a year. Now take the effort and pain you are experiencing and multiply it by 1000 other vendors. While this assessment process is painful for you, it can just as painful for the vendor assessment team, who sometimes may be compensated for how well they do their job. In other words, it is in the best interest of everyone involved that you pass the assessment.
Rule 2: Don’t try to pass the buck
Many organizations try to essentially “Opt-out” of the cyber assessment process with something like this: “Our entire stack runs on Amazon Web Services (AWS) or Azure, and they are compliant, so we are compliant.” This is a common mistake. And it never works. The company doing the assessment wants to know about the information security protocols of your organization. That means your entire organization, including all of the people and systems involved. So never try to pass by forwarding the SOC II or public SOC 3 report of a third party.
It is okay to use “Not Applicable (NA)” when you think it applies, but don’t make the answer to every question.
Note: It is okay to declare that SOME of your controls are implemented by a third-party, but not all of them. In the AWS example, you can declare that the physical and environmental security controls of your data center are managed by AWS. But in the end your management team is accountable for keeping track of which controls are assigned internally and which are handled by third-parties.
Rule 3: Don’t expect to be perfect
Many organizations make the mistake of assuming that if they don’t answer “yes” to every question, they will fail. This is not the case. The risk management team of your customer does not expect you to be perfect, and neither should you. The cyber vendor assessment typically covers an entire set of cyber security “controls”, which can be at least 10 major “Domains”. These can include risk management, access control, personnel security, third-party security, physical security, incident response and others. So unless you have had a formal cyber security program in place for years, you are not likely to have addresses all the questions. This naturally leads to the next rule.
Rule 4: Answer the questions the best you can
Vendor Risk Assessments are often extremely complex, especially for smaller organizations that have very little cyber security experience. To make it worse, some assessments give you only limited answer options, like “YES/NO/NA”. In the world of cyber security, there is rarely a topic that can be simplified into these buckets. So don’t fall for the trap.
For example, a common question is something like this: “Does the organization have a written information security policy that is updated regularly and approved by management?” In fact, this is three separate controls – not one. What if we have policies but they haven’t been updated in 2 years? In these cases the best approach is to (1) answer yes, and (2) add comments to clarify exactly where you are at. Force the assessing organization to be accountable for the fact that some of these questions are not easily answered with three options. This leads to the next rule.
Rule 5: Don’t be afraid to ask for help
In many cases, the people responsible for the vendor assessment project have experienced cyber security people on their team. So if you are confused about a question (“What the heck is an application pen test and where can I find one?”) start by asking the assessor for help. Remember, you are not their only vendor. Chances are there are dozens of companies struggling with the same questions. Asking for help is not a sign of weakness – it demonstrates a willingness to communicate. Unfortunately, spreadsheets and online forms are not effective ways to exchange information. Especially when you are often limited to Yes, No, or NA.
Rule 6: Don’t answer YES if you don’t do it
Again, you are not expected to be perfect. If you do not have a Control in place, don’t answer YES. We have seen cases where people just answered “yes” to every question and then returned the assessment, only to be stuck later when asked for evidence. It is far better to be honest. In some cases, if you truly believe a Control is “Not Applicable” – then by all means put it as NA. If something is in progress, then try to make a note that it is part of your upcoming plan, and even attach a projected date. Sometimes, the risk management team on receiving the completed assessment can work with these answers. That not only creates effective communication, but it also enables you to create a working plan for your cyber security program over the next 6 to 12 months. This leads to the next rule:
Rule 7: Send SOMETHING back, even if it isn’t perfect
We see a lot of companies that are so overwhelmed with the cyber assessment that they simply do nothing for months on end. This is understandable because in many cases a huge contract or major customer is on the line. So “failure is not an option.” However, based on our experience with hundreds of vendor assessments, it is better to send an imperfect assessment back (even with clarifying questions) than sit on the assessment until the deadline approaches. Again, try to treat the assessment as a back-and-forth communication between you and the assessor. Most likely they have seen your case many times and understand the issue. This leads to the final and most important rule:
Rule 8: Use this is an opportunity to improve
We have seen that vendor cyber assessments are nearly unavoidable. We also realize that passing the assessment will be a significant amount of work. But a vendor cyber assessment presents an interesting opportunity: For maybe the first time your management team is willing to spend money on cyber security.
This leads to a key point: Why not treat the vendor assessment as an opportunity to improve your cyber security posture? If you do it right, having a robust cyber security program that you can demonstrate to others makes you a much more attractive vendor. In fact, if you pass one vendor assessment, you are much more likely to pass other ones. A well-documented security program can also save time as you prepare for an external audit, such as a SOC II Type 2 or Information Shield Cyber Certification.
Bonus Rule: You can streamline the VRM process
Sometimes a qualified third party can save you months of effort understanding and passing a vendor assessment. For example, software tools can help you quickly define, document and manage a cyber security program that meets many of the cyber security best practices of ISO 27002, NIST CSF, HIPAA and many others. At Information Shield we have helped hundreds of organizations pass cyber vendor assessments in all types of industries. We do this with a combination of software, process, and expertise. If you are struggling to pass a cyber vendor assessment, please contact us for a free no-risk consultation.