Third Party Risk Management

Third-Party Risk Questionnaires: Best Practice or Legacy Tool?

George V. Hulme | February 10, 2014

Questionnaires have been a key part of third-party risk management programs for decades. And, until recently, they were the primary way businesses checked up on the cybersecurity performance of their third-party vendors. 

But recent history has taught us that these questionnaires aren't necessarily the best tool for third-party risk management, and may in fact be lulling risk professionals into a false sense of security. 

According to a recent Ponemon Institute study, 59% of companies have experienced a data breach caused by a third party. Among this majority, it's safe to assume some portion are using third-party risk questionnaires.

The problem is that questionnaires only provide a small amount of visibility into cyber risk. And in a world where third-party ecosystems are getting larger and more connected, that's a big problem. 

Here are a handful of ways questionnaires leave organizations vulnerable:

Security questionnaires only reflect one point in time.

In other words, questionnaires only provide reliable information in the moment they are answered.

Organizations change. They change management, which changes risk tolerance; they cut security and regulatory compliance policies, which changes security and compliance posture. They deploy new technologies, and that also changes their risk posture.

And while the organization's security practices are changing, the threats are too. Good security controls are only good so long as they protect the organization against known threats. When new threats emerge in the time between assessments, that can leave a previously secure organization exposed. 

New call-to-action

Questionnaire answers are prone to bias.

Security and compliance professionals are often overconfident when it comes to the maturity and status of their security and risk management programs. As a result, their answers to risk management questions can often be overstated or misleading. 

Intentional lying is always a possibility — after all, questionnaire results can have financial implications for the vendor — but for the most part, inaccurate responses aren't malicious. It's simply a symptom of the fact that people don't know what they don't know, and when it comes to a system as complex as an enterprise IT network, a human isn't really the best source of truth. 

Which leads us to:

Those answering questionnaires rarely have all the facts.

Most of the time, the person fielding a questionnaire is basing their answers on what's been handed to them by others, whether that's their own employees, third-party auditors, or software tools. The further data gets from its quantifiable source, the more suspect it becomes.

Questionnaires provide a false sense of security.

Questionnaires aren't just risky because they could contain misleading information. Questionnaires also give those who rely on them a false sense that their partners' systems are adequately secured, which can lead to a lack of precautions and, ultimately, to data breaches.

The new best practice

In addition to questionnaires, TPRM professionals need tools that enable objective, continuous monitoring.

Security ratings are one solution. Provided by independent organizations, these ratings are a data-driven, dynamic measurement of an organization's cybersecurity performance. They identify things like malware infections and poor cybersecurity hygiene within a network, and are updated daily.

That means risk teams can get alerted to vulnerabilities now, rather than when the next assessment rolls around. In addition, they are based on accurate, objective information rather than personal opinions. In the case of BitSight Security Ratings, they're actually proven to correlate with risk of data breach. 

Conclusion

To call questionnaires a "legacy tool" would be a little hasty. Questionnaires still have their place in third-party risk management programs. There is information that you can gather via questionnaire that you can't get from other sources. For example, check out our suggestions for questions to add to yours. 

However, questionnaires alone can't provide the kind of context modern risk professionals need to get the job done. 

Interested in seeing how the new best practices work?

Request a demo of BitSight for Third-Party Risk Management

Suggested Posts

How and When to Reassess Your Vendor’s Cybersecurity Posture

From a security perspective, your work isn’t done when a new vendor signs on the dotted line. After the onboarding process is complete, you must implement continuous monitoring practices to ensure your new third-party maintains the desired...

READ MORE »

Vendor Contract Do’s and Don’ts

According to an Opus and Ponemon Institute study, 59% of companies have experienced a data breach caused by one of their vendors or third parties — while only 16% claim they effectively mitigate third-party risks. Don’t be a part of these...

READ MORE »

How to Determine the Right Level of Vendor Assessment

When onboarding new vendors, it takes the median company an average of 90 days to complete due diligence — 20 days longer than it did four years ago, according to Gartner. In a competitive business climate where speed can be the difference...

READ MORE »

Subscribe to get security news and updates in your inbox.