Vendor risk assessment templates are the starting block to creating vendor questionnaires. Typically, they’re comprised of a variety of questions, but the end goal for each is the same: to figure out how secure your vendor is.
But is that really enough? In short: No.
There are several problems with relying solely on a vendor risk assessment template alone. For one, the questions themselves often illicit simple “yes” and “no” answers—which don’t tell you much at all.
Perhaps you’ve structured your questionnaires so they allow for essay responses. This might give you more confidence in your vendor, but it’s still only showing you a snapshot in time.
Cybersecurity is constantly moving and evolving as new threats and vulnerabilities emerge, and questionnaires are only able to capture what the vendor believes to be true in that moment. Consider your health status; just because you’re in good shape today doesn’t mean that you aren’t harboring a condition that is undiagnosed, or won’t get sick in the future. The same holds true for your vendors—even if a vendor hasn’t been breached before and is following all best practices, they could still be vulnerable down the road.
So now you can see how conducting a vendor risk assessment with just a template alone can fail you—but you may still want some details. We’ve laid those out below.
1. It’s subjective.
The thing is, nearly every vendor has completed a risk assessment template. Most have completed tens or hundreds—maybe more. For instance, one question might be, “Have you participated in a cybersecurity exercise with your senior executives?” By asking that question, what your organization really wants to know is if the vendor has engaged in drills that can help them nail down a quick incident response time. But what your vendor may think of is the one time they reviewed what they might do for about 15 minutes—last year. Thus, they can answer “yes” with a clean conscience, and you are both left with entirely different beliefs about the situation.
2. It’s not verifiable.
It is difficult to verify a vendor’s responses to a template or a questionnaire—because most vendors think that once they answer your initial questionnaire, their job is done. They don’t expect to spend the next eight months responding to additional questions based on your reactions to their answers—and that in and of itself is a major flaw with questionnaires. Your vendor’s responses remain unverifiable for the most part, so you simply must trust their answers. This has a name: “aspirational security.” In other words, you simply hope their responses are true.
For example, let’s say you ask your vendor about how frequently they train their employees on IT security policies, because you know that employees who have been properly trained are much more likely to avoid downloading malware that could affect your data. In their response, your vendor says that they are trained every quarter and give some details on the training. That answer may put your mind somewhat at ease—but do you actually have a way to verify this claim? The answer is likely no.
3. It’s not actionable.
Creating a vendor risk assessment template is only part of the job. The real work begins when your vendor completes the template and returns it to you. You then have to figure out how to turn their responses into actionable items. For example, if you ask about the kinds of cybersecurity policies in place within their organization and their response is insufficient, do you know what to do? Is there an agreed-upon course of action that both parties can take to remedy the problem? Remember that the template itself is useless without responses driving and furthering actions.
Keep in mind...
Having said all this, it is important to remember that vendor risk assessment templates and questionnaires aren’t useless! In fact, we think that they’re an important part of the IT risk assessment process. They can help you form an opinion of an organization’s security risk—and that’s worth something—but it cannot be the only thing you do. You have to incorporate more objective, verifiable, actionable data so your vendor risk management (VRM) process isn’t just about pushing papers, but instead about properly protecting your organization.
DOWNLOAD GUIDE: 40 QUESTIONS YOU SHOULD HAVE IN YOUR VENDOR SECURITY ASSESSMENT