Third-Party Risk Questionnaires: Best Practice or Legacy Tool?
George V. Hulme | February 10, 2014
Questionnaires have been a key part of third-party risk management programs for decades. And, until recently, they were the primary way businesses checked up on the cybersecurity performance of their third-party vendors.
But recent history has taught us that these questionnaires aren't necessarily the best tool for third-party risk management, and may in fact be lulling risk professionals into a false sense of security.
According to a recent Ponemon Institute study, 59% of companies have experienced a data breach caused by a third party. Among this majority, it's safe to assume some portion are using third-party risk questionnaires.
The problem is that questionnaires only provide a small amount of visibility into cyber risk. And in a world where third-party ecosystems are getting larger and more connected, that's a big problem.
Here are a handful of ways questionnaires leave organizations vulnerable:
Security questionnaires only reflect one point in time.
In other words, questionnaires only provide reliable information in the moment they are answered.
Organizations change. They change management, which changes risk tolerance; they cut security and regulatory compliance policies, which changes security and compliance posture. They deploy new technologies, and that also changes their risk posture.
And while the organization's security practices are changing, the threats are too. Good security controls are only good so long as they protect the organization against known threats. When new threats emerge in the time between assessments, that can leave a previously secure organization exposed.
Questionnaire answers are prone to bias.
Security and compliance professionals are often overconfident when it comes to the maturity and status of their security and risk management programs. As a result, their answers to risk management questions can often be overstated or misleading.
Intentional lying is always a possibility — after all, questionnaire results can have financial implications for the vendor — but for the most part, inaccurate responses aren't malicious. It's simply a symptom of the fact that people don't know what they don't know, and when it comes to a system as complex as an enterprise IT network, a human isn't really the best source of truth.
Which leads us to:
Those answering questionnaires rarely have all the facts.
Most of the time, the person fielding a questionnaire is basing their answers on what's been handed to them by others, whether that's their own employees, third-party auditors, or software tools. The further data gets from its quantifiable source, the more suspect it becomes.
Questionnaires provide a false sense of security.
Questionnaires aren't just risky because they could contain misleading information. Questionnaires also give those who rely on them a false sense that their partners' systems are adequately secured, which can lead to a lack of precautions and, ultimately, to data breaches.
The new best practice
In addition to questionnaires, TPRM professionals need tools that enable objective, continuous monitoring.
Security ratings are one solution. Provided by independent organizations, these ratings are a data-driven, dynamic measurement of an organization's cybersecurity performance. They identify things like malware infections and poor cybersecurity hygiene within a network, and are updated daily.
That means risk teams can get alerted to vulnerabilities now, rather than when the next assessment rolls around. In addition, they are based on accurate, objective information rather than personal opinions. In the case of BitSight Security Ratings, they're actually proven to correlate with risk of data breach.
If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...