Adding an IT Security Assessment Gate that Busy Relationship Owners Will Actually Follow
Dear Chief Compliance Officer,
Who in your organization is managing the IT Security Assessment process? Do you worry if relationship owners are following the process?
Remember, the goal of any Vendor Management Program is to help your organization make an informed decision about partnering with a vendor. The goal of the IT Security Assessment gate is to verify that the vendor has adequate IT security controls.
We at CyberSecurityBase are rockstars in this area. We support our clients on either ends of the IT Security Assessment process. In order to do this well, we need to establish rapport with relationship owners. It took years (and mistakes) to learn this important lesson.
Relationship owners are those folks in your organization that own relationships with vendors/partners to meet company goals. When they find that promising partner, they want to move quickly, solve that problem, and move on to the next one. Like you, relationship owners are busy and juggling multiple priorities. When they are ready to move forward with a vendor, they may feel tempted to undercut the process and sign the agreement. If they do the right thing, and engage with the Legal or Compliance team, they will often cringe, because they don’t know how long the due diligence process will take. Relationship owners want a fast and smooth process, but they know that there will be a number of steps to follow, questionnaires responses to go hunt, and redlines to shuffle back and forth. And if your organization hasn’t quite yet stood up that IT security assessment gate, just know that when you do, it will certainly prolong the vendor due diligence process.
So, how do you stand up an IT security assessment gate that busy relationship owners will actually follow? We have done this many times, and when we do it, we focus on 3 areas:
- Integrate the gate into the existing vendor due diligence process. Humans feel comfortable with what is familiar. I promise you that the IT security assessment process will be smoother if you add 1 step to an existing process vs adding 10 new steps and a new tool on top of that. This approach of adding 1 step to the existing process sets up the team for success, as it creates a quick win and positions you to mature the process over time. Doing it the other way is a common approach that typically creates unnecessary distractions (and frustration) for everyone involved in the process.
- Start with basic information gathering. Any good due diligence process requires gathering information. An IT security assessment is no different. However, there is no need to slap a vendor with a generic “security questionnaire” filled with 100 generic questions. Information gathering needs to be targeted. We recommend starting with 10 questions to help you determine if a deeper review is needed. (We wrote an extensive article on why these long generic security questionnaires are not a good use of resources, if you want to read that next.)
- Go deep only when you need to. The common approach to IT security assessments calls for performing a deep security review for all vendors. This is probably the fastest way to burn through resources, lose trust with relationship owners, and lose cooperation with the vendor team. When a relationship owner comes to us about a vendor needing an IT security assessment, we ask, “what data are you looking to share with the vendor”? Our favorite response is to be able to say “Oh, we don’t need an IT security assessment for that vendor, and this is why” or “You know, if you make these adjustments, you can skip the IT security assessment step all together”. The reaction we see is priceless. Their face immediately relaxes and is usually followed by a smile, knowing that they have one less thing to worry about. There will be vendors that will absolutely require a deeper IT security assessment and those certainly require time and critical thinking.
Once your team is ready to add an IT Security Assessment gate to your Vendor Management Program, keep these 3 areas in mind. If you do, I promise you that it will save you resources down the road and set you up for success.
CyberSecurityBase serves clients that need help with their backlog of 3rd party vendor IT security assessments. Should you need outside help in this area, visit our Contact Us page and send us an email or book a time for a call. We look forward to hearing from you.