Security Risk Management

Why Third Party Risk Questionnaires Lead To A False Sense of Security

George V. Hulme | February 10, 2014

Questionnaires are inadequate for managing third party riskAs it appears now, the entire Target breach may be the result of a compromised heating, ventilation, and air conditioning subcontractor that had worked for Target and many other retailers.

According to, “Sources close to the investigation said the attackers first broke into the retailer’s network on Nov. 15, 2013 using network credentials stolen from Fazio Mechanical Services, a Sharpsburg, Penn.-based provider of refrigeration and HVAC systems.”

Vendor Security Assessment GuideNot that any of this should come as a surprise, third party risks have been known for years – especially when it comes to the retail industry. In early 2012, Network World senior editor Ellen Messmer, in her story Data breach? Blame your third party’s remote access systems, highlighted an industry report that found the vast majority of breaches were the result of third parties.

“An in-depth study of data-breach problems last year where hackers infiltrated 312 businesses to grab gobs of mainly customer payment-card information found the primary way they got in was through third-party vendor remote-access applications or VPN for systems maintenance,” she wrote.

"The majority of our analysis of data-breach investigations -- 76% -- revealed that the third-party responsible for system support, development and/or maintenance introduced the security deficiencies exploited by attackers," Messmer quoted the Trustwave report as stating.

That’s why it’s so crucial third party risks be assessed on a continuous basis: When it comes to IT risks, an organization’s security posture changes swiftly. One wrong move, and its network can find itself botnet infected. A firewall misconfiguration, or a careless employee or two clicking on a maliciously crafted email link and the attackers are in.

The big challenge is finding out when a partner's risk posture begins to change, or when they’ve become compromised, in a timely way. At least quickly enough to reduce the risk of being similarly compromised.

This is where security questionnaires break down. They don’t capture risk as it actually is, or how it changes over time. Here are a handful of ways questionnaires leave organizations vulnerable:

Security questionnaires are a point in time.

They are only good in the moment they are answered. Organizations change. They change management, which changes risk tolerance; they cut security and regulatory compliance policies, which changes security and compliance posture. They deploy new technologies, and that also changes their risk posture. You get the idea, and this is why questionnaire values degrade from the time they’re answered.

Questionnaire answers are prone to bias, and an overestimation of security.

Security and compliance professionals are often over confident when it comes to the maturity and status of their security and risk management programs. In a recent feature story I wrote, Security spending continues to run a step behind the threats, which was based on a survey of 9,600 security practitioners, the vast majority of respondents – more than 80 percent – consider their programs effective. But this view didn’t hold when the data was tabulated to take into account the maturity of their security and risk management programs. The reality was a figure in the single digits.

Those answering questionnaires rarely have the facts.

Most of the time those fielding the questionnaire are basing their answers on what has been handed to them by others. The further data gets from its quantifiable source, the more suspect it becomes.

Questionnaires don’t accurately reflect the current state of security controls.

Security questionnaires don’t - can’t - go much deeper than discerning whether a third party has a firewall in place, it really can’t tell how well the firewall is being maintained. Not objectively. The same will hold true for encryption polices, risk and vulnerability management, application quality control, and anything else based on a bias, or at least vested person answering the questions.

Questionnaires provide a false sense of security.

Aside from being point-in-time and subjective, questionnaires provide those who rely on them a false sense that their partner’s systems are adequately secured.


In addition to questionnaires, what’s needed are thorough and regular assessments and other forms of actual measurement of the integrity of the security controls, effectiveness of defenses, and processes the enterprise has in place. With that knowledge it’s easier to control the real-world risks with contractual agreements, as well as an understanding of how security controls will be vetted in the future with regular assessments, and how breach incident response will be handled.

And as the recent revelations in the Target breach indicate, and years of data as well, it isn’t always the third parties that are sharing the most sensitive information that necessarily matter – most every third party that connects to your resources is a very real vector for threats. A HVAC contractor? How many would have guessed?

Suggested Posts

3 Ways to Ensure Best-in-Class Third Party Cyber Risk Management

An effective third party cyber risk management program both identifies potential threats and finds ways to mitigate them. Organizations should aspire to the highest possible standards when it comes to their security posture. To do so, they...


Cyber Risk Should Be A Growing Concern to the Municipal Bond Market

Following an increase in ransomware cyber attacks, most notably May 2017’s WannaCry attack, U.S. public sector entities are starting to see the effects of these attacks on the almost $4 trillion municipal debt market. As a result, issuers...


Takeaways from the 2017 Gartner Security & Risk Management Summit

This year marked another great Gartner Security & Risk Management Summit with over 3,000 attendees, bringing together CEOs, CIOs, CISOs, IT Directors, Risk Managers, and other risk and security professionals to National Harbor, MD from...


Subscribe to get security news and updates in your inbox.