[Author’s note: This blog originally started as a series of mini rants about what everyone is getting wrong with their third-party risk programs. Of particular bother were things like our ballooning work due to a sharp increase in the incoming volume of questionnaires, and the diminishing level of assurance that longer questionnaires provide. It occurred to me I should write some of this down, because most Security Orgs are probably experiencing this same pain, but not talking about it. So…here goes:]
Figure 1: Standard third-party risk assessment questionnaire (spreadsheet-based).
When it comes to performing risk assessments on your third parties, the more questions you ask, and the more detailed those questions are, and the more security context you gain, the better, right? Based on our experience responding to these risk assessments / questionnaires from current and potential customers, this certainly seems to be the prevailing sentiment.
We believe this approach is completely wrong, and for most organizations, it provides little incremental security assurance. It is also a gross misallocation of time and resources.
Now, before you reach out to us with a lengthy response explaining how every question on your (also lengthy) third-party risk questionnaire is absolutely vital and is the bare minimum necessary to appropriately gauge the risk of your third parties, please hear us out (or at least read to the end before firing off that email).
We believe you can reasonably determine a third party’s risk using only a handful of questions and select documents…no lengthy questionnaires or time-consuming audits required.
But before getting into that, let's take a step back and acknowledge that the journey to overbearing security questionnaires has been made in good faith; many companies are now properly recognizing that failure to ensure the security of their third parties is a blind spot in their Security program and could represent a major risk.
Over time, as third-party risk was thrust into the spotlight (thanks Target, circa 2013!) and has remained in the spotlight, Security teams started asking their third parties more and more questions with incredibly specific requirements, oftentimes heavily anchored by the specifics and weaknesses of their own environment, all while failing to ask themselves, “How much additional assurance and understanding is each of these questions actually providing?”
The unfortunate result today is that many Security teams pride themselves on the extreme length and granularity of their third-party risk questionnaire, falsely believing that quantity directly translates into quality.
Good questions & bad questions
Let’s use questions around privileged access as an example. Here’s a common one:
Do you restrict access to your production environment to only those users who require such access to fulfill their job requirements?
This is a standard question and is certainly worthy of inclusion on a third-party security questionnaire. But given the basic nature of the control, it’s better to assess the level of process maturity around the control.
An example might be:
Do you use automated mechanisms to control access to production environment resources, including privileged access?
This is a much higher-value question than the initial iteration, but it’s still a yes/no question. That leaves room for further improvement, as asking simple yes/no questions generally provides less value than asking about the maturity of controls.
At Segment, we’ve designed our third-party security questionnaire to limit the amount of yes/no questions and instead focus on control maturity. For example, our questionnaire assesses production environment access control with the following question:
This question essentially bundles two or three questions into one, and the response provides us with a deeper level of insight into the third party’s control maturity. Applying this approach across all domains in the questionnaire results in fewer questions without compromising the level of assurance.
How much should you trust a questionnaire?
Something else that's usually missed in the frenzy to ask more questions, is that a questionnaire – by its very nature – is a self-attestation; while we generally assume our business partners are honest, a completed questionnaire provides zero guarantees the responses are accurate.
This concept is regularly applied in other areas: should investors trust a company that self-audits their own financial statements?
Companies offering "questionnaire as a service" have tried to fill this gap by offering "response-validation" services, but these solutions do not scale well and tend to be cumbersome and time-consuming for the organization completing the questionnaire. Not only that, but one size does not fit all industries!
However, did you know that a solution to this problem already exists in the form of third-party security audits, specifically ISO 27001 and SOC 2? By certifying against ISO 27001 and/or completing a SOC 2 attestation, companies can demonstrate that they have an established, industry-standard information security management program and associated controls. Furthermore, the certificates and audit reports produced as part of these efforts provide higher levels of assurance that the controls are actually in place and working as intended. This is because the controls were examined by an independent auditor over a period of weeks, giving them the opportunity to go deep into any perceived areas of weakness. And at the end of the engagement, the independent auditor, with their stamp and signature, puts their own reputation on the line with the findings and conclusions.
Segment’s approach to evaluating third-party security
This is why we have centered the third-party risk management program at Segment on ISO 27001 and SOC 2. When evaluating a new third party, the first thing we request is a copy of their ISO certificate, SOC 2 report, and/or other independent reports.
If the third party is able to provide any of these, it immediately tells us a few very important things:
The third party appears to care about security.
Their controls and processes are mature enough to pass industry-standard audits.
Their Security program is broadly aligned with our own (we maintain our own ISO 27001 certification and a SOC 2 Type 2 attestation).
Further, once we receive the documents, we don’t just check a box and move on; we actually read the reports.
We evaluate the content to determine whether the scope is correct, to understand the specific controls that are in place, and to determine whether issues were noted by the auditors. And if the independent auditor is not a nationally-recognized firm, we also spend time checking their credentials and reputation.
Unless there were significant issues noted by the independent auditor, key controls were missing, or the third party is unable to provide any current independent audit reports, we will not even need to send our own security questionnaire.
While we recognize that independent audits achieve only “reasonable assurance,” this is still a greater level of assurance than self-attested questionnaire responses. Using this approach, we significantly reduce the time we spend evaluating third parties while still gaining the assurance we require.
How to manage third-party risk more efficiently
If your third party security questionnaire has more than ~75 questions, or you feel like you’re spending a large amount of time evaluating third parties with little value to show (i.e. you’re still lying awake at night worrying about your third-party risk surface area), it’s time to critically examine your third-party risk management processes.
Place greater reliance on independent audits and actually read the reports; don't just use them to check a box. Leveraging independent audit reports will significantly reduce the number of questions you need to ask your third parties, and will give you extra assurance knowing that the controls were validated by an independent auditor.
Question your questionnaire. Be ruthless in determining which questions actually provide value and excise those that don't. For the questions that remain, carefully craft response options that will accurately reflect the third party’s maturity. Aim for your questionnaire to be “less, but far better.”
Managing third-party risk is essential to the security of every company, large and small. Given the limited resources of most organizations, it’s important to ensure that the third-party risk management process is efficient, effective, and provides the highest amount of value for the effort expended. It’s one more important step to help all us Security practitioners sleep more soundly each night!
Are you interested in joining a security team that isn’t afraid to question the status quo? We’re hiring!