Accidental CISOIf you are doing vendor security assessments for your employer, it is your job to assess the risk associated with vendors so that your leadership can make decisions.
It is not your place to bully the vendor.
Thank you for coming to my Ted Talk.
Nick Murison@accidentalciso I regularly find myself either being the one setting the security questions for our vendors or being the one answering them for our customers. A few thoughts I've ended up with:
- ISO 27001, SOC 2 and CSA CAIQ give us "common language", and help shorten many processes. If the VRM process isn't shortened by us as a vendor having those, it's usually a sign it's going to be a painful one. Compliance != security, but it should get rid of some questions about security basics.
- As a vendor, if we experience a particularly painful VRM process, we try to learn what was painful and make sure we're not inflicting the same on our own vendors.
- Vendors who respond "our Cloud provider is ISO27001 certified, so we're secure" need educating, not yelling at.
- If a customer asks us yes/no questions about whether we've got a specific technology deployed, it's often a sign that they are concerned about risk X and believe technology Y is the only way to mitigate it. If they can describe what risks they are most concerned about, we can describe to them how we mitigate those risks.
- Pragmatic, risk-based processes tend to be positive experiences that lead to good partnerships.
- Bullying and obstructive behaviour is likely a symptom of process or culture dysfunction.