This is an interesting dilemma, and a question I hear regularly. It goes like this:
“We have a lot a vendors that don’t want to fill questionnaires out at all. What do vendors think of SecurityStudio?”
My answer to this is always the same…
3 or 4 years ago, when vendor risk management programs were largely nonexistent, vendors would push back on security questionnaires. They would dodge, avoid, argue irrelevance, hide, ignore, answer cryptically, lie (in some cases, yes they do), get answers wrong, etc. Basically everyone was trying to avoid having to fill out any information about security programs.
Now that we’re a few years down the road, vendors are used to this, especially in any regulated industry or anyone that works with healthcare
So at this point, if I have a vendor that doesn’t want to give up information about their security, that’s a GIANT red flag for me.
There are only a few reasons for not being forthcoming to a customer or prospect:
- What the vendor does is highly sensitive, and they have to protect that information from everyone, including customers.
- The vendor is a big enough company that they don’t need to respond to prospective customers.
- A security program isn’t in place or the vendor doesn’t know how to answer the questions.
Each scenario is bad for me as a risk manager:
- Even if you say you’re highly secure, it’s my responsibility to make sure. So in scenario one, they would still have to have something they can provide me as evidence they know what they’re doing. From my side, I can’t just take their word for it. So give me something.
- Although they’re a huge company (i.e. AWS, Microsoft, Google) they still pose a risk to us.
- If they avoid/resist, give excuses, or want to argue about why they don’t need to provide us any information, I assume they don’t have a security program.
When deciding if you should “fire” a vendor, there are many things to consider:
- Someone in your organization likely wants to do business with this vendor.
- It could be a significant deal for your organization. That adds pressure to push them through.
- How significant is the risk and what could happen to you if they get breached?
There are many more factors obviously, but the point is that it is usually extremely hard to fire a vendor that the business wants to work with. If you have the authority to pull that trigger, then I would advise using it sparingly. We enlist the business to help us get the assessment results back if needed, and we prefer to push them into remediation rather than firing them. SecurityStudio makes remediation really easy, so we prefer to just build remediation plans they can work on. That way everyone is winning!
I would only fire a vendor if all these questions get answered “yes”:
- They simply won’t give us information.
- They argue and avoid enough that they give me the sense that they don’t have a security program.
- The business has alternative vendors that they can use, and they are ok with the firing.
Short of that, we opt for remediation, or if the vendor won’t cooperate at all, then we opt to have the business waiver the vendor. That way as a risk manager I can show that I did my due diligence but that the business decided to pursue the relationship anyway. This is more than just CYA, it’s an important part of the partnership between security and the business. We don’t want to shut them down, we just want to manage our risk. They have the right to accept the risk of a vendor that won’t cooperate. (document, document, document)
The feedback we get regarding vendor willingness to use