Security Assessments: Waste of Time or Worth It?
It’s the million-dollar question: is the juice from security assessments worth the squeeze?
We all know third-party security assessments take a lot of time and significant human resources. And after you finish an assessment, should you be making decisions based on what could be faulty data?
Given these factors, is it even worth it?
We sat down with two people from opposite ends of the assessment dynamic to get both the vendor's and company's perspectives: David Wilson, Director of Compliance Assurance at ACI Worldwide and Denise Flory, Director Cybersecurity Risk at Verizon. David Wilson is in charge of the team who completes assessments for ACI Worldwide, and Denise Flory is responsible for managing Verizon's vendor risk program. Peter Finter, CMO of CyberGRX, served as the moderator to make sure both perspectives came through loud and clear. Listen in to the discussion now:
Common Security Assessment Challenges
Evaluating the security posture of a vendor involves challenges for both the customer and the third party. While the challenges risk assessments present are unique for each company, there are some common themes. First, we highlight the pain points of the customer, or the organization who is tasked with evaluating the third party risk.
The Quality of Assessment Data Varies
Assessment information can vary in accuracy and depth. As Denise explained, one of the biggest challenges is the quality of the data and validating it. While everyone who answers a questionnaire is trying to provide good responses, some people, such as sales personnel, may not have the knowledge they need to supply helpful answers.
Non-responsive Vendors - How to Handle
Sometimes, for whatever reason, a vendor doesn’t respond to your assessment request. Then what? How do you handle non-responsive vendors who are critical to your business process?
Denise advised that if a vendor is non-responsive to the assessment request, the company may be forced to follow up. Generally, if the third party wants to do business with the company, they try to find a way to provide the assessment data requested. But this may also require a back-and-forth discussion regarding not just the data the company is asking for, but a justification as to why they are not complying with the request.
High Assessment Volume
An organization can have thousands of active vendors requiring hundreds of assessments each year. Verizon is no exception, with 6,000 vendors and 600-700 of them assessed every year. The sheer volume of assessments can become a time sink for both the company and the vendors they’re assessing– and will only grow as more third parties are added each year.
The Vendor's Challenges and Pain Points
An assessment can be as simple as a document request, where the company asks a potential partner to answer some questions. At the same time, it can also “be a multi-day, in-person, SME, interview-based audit,” explained David. On top of that, a company can be tasked with performing 350 to 600 assessments per year, consuming a ton of resources. In addition to the extra workload, vendors have to tackle other challenges during the assessment process.
Misalignment with Assessment Work That’s Already Been Done
The assessment process is rarely linear, and for that reason, David stresses the importance of collaboration between a customer and vendor. Oftentimes, a company may send a questionnaire or an audit request that reflects a very different business model than what the vendor has prepared. In this situation, “much of the hard work the vendor has put into documenting their security and risk factors goes out the window because they have to cater to the parameters of that particular assessment request,” commented David.
As David puts it, this can be a significant challenge. “When we find we’re not aligned with our customers, this can bring everything to a grinding halt.” (Read: it slows down the assessment process for both the vendor and the customer.) Therefore, it’s important to make sure the vendor and customer are speaking the same language so they can effectively collaborate throughout the evaluation process.
Redundant and Extraneous Questions
From the perspective of the vendor, many of the questions they get asked have already been covered in the risk profile package they’ve provided. And, at times, there may be questions asked that don’t even apply to the services the vendor provides.
To prevent these issues, the company and the vendor need to decide on the scope of the assessment upfront. By doing this, they can ensure that all questions are both necessary and applicable to the services provided.
David also reports 90% of the customer questions are either the same or a variation on a theme, making a strong case for standardized assessments that can be quickly shared with multiple companies, to reduce the redundancies.
The Role Assessment Completion Plays in the Sales Process
At least some form of assessment is part of the sales lifecycle, and every organization manages this differently. For example, some teams provide assessment data after the sale, working to demonstrate compliance with existing customers. At the same time, they may have a different team that handles presale assessments. The result, in this kind of arrangement, is a shared knowledge base of answers that different sales stakeholders can benefit from. As is the case with ACI Worldwide, the assessment is part of the pre-sales process and can also come as a deeper dive post-contract signing, and the teams may not be the same.
A Collaborative Process
Despite approaching assessments from two different perspectives, both Denise and David underscored the importance of collaboration during the assessment lifecycle. In this way, the vendor and customer can share information to gain an understanding of which data security issues will impact their business relationship. Collaboration also allows the vendor to explain how their security measures protect that particular company's data. Also, since different companies use a vendor's services in unique ways, collaboration can clarify how both parties' security tools can work together to safeguard specific workflows.
Is the Assessment Process Producing Meaningful Results?
An organization takes everything they’ve learned about a vendor and then “frames a risk profile around that vendor, identifying any cybersecurity gaps that may exist in their services or products.” This data is then presented to decision-makers, explaining the risk profile. In many cases, the assessment begins an ongoing interaction around risk. For instance, as Denise outlined, a company may identify gaps and then “take three to six months to address them.”
So are risk assessments worth it or a waste of time? We asked our audience and 91% said they are worth the time and effort.
Overall, assessment data ends up being a piece of the puzzle risk teams have to assemble as they determine which vendors to do business with and how. In addition to figuring out how the answers may impact the company’s decision, security practitioners also have to ascertain how accurate the answers are.
Is assessment data reliable?
Can we trust the assessment information coming in? “Yes and no,” answered Denise. “A company’s only going to let you see so far inside when it comes to their practices and what they have in place.” So while an assessment may provide some useful data, it’s not entirely reliable. To balance out assessment information, it’s important to look at the entity’s overall security practices they have in place to protect the data they are securing.
Security Assessments to Demonstrate Program Maturity
Vendors, such as ACI Worldwide, recognize the importance of the assessment process, especially when it comes to highly regulated business sectors, such as the financial industry.
In an attempt to help customers understand the security measures they're taking, vendors focus on supplying info regarding the various systems they have in place. This may include regulation-specific measures, such as their Attestation of Compliance (AOC) documentation for the Payment Card Industry Data Security Standard (PCI DSS) compliance. “We’ll be as transparent as we can be,” says David. “The security assessment process is an opportunity for us to demonstrate the ongoing maturity of our risk management program.”
The security assessment process is an opportunity for us to demonstrate the ongoing maturity of our risk management program.
The Role of an Exchange in the Assessment Process
With a risk exchange platform such as CyberGRX, companies can get valuable risk data, and vendors can save a lot of time. For instance, instead of a vendor having to invest time answering hundreds of extensive (and redundant) questionnaires a year, 7 out of 10 times a CyberGRX standardized assessment is shared, it is accepted by the customer. As a result, both the vendor and customer have assessment information faster, and can begin discussions around the findings.
What does the future hold for risk management?
“Assessments aren’t going away,” says Denise, but should be supplemented with additional data, analytics, and a continuous monitoring framework.” David agreed, assessments are necessary and a key component of risk management. “You can’t take out the human element entirely, but automation and AI can help the security assessment process to be more efficient. Above all, collaboration between both parties is essential,” David concluded.
CyberGRX’s Exchange is the industry’s first and largest third-party exchange, saving third parties time completing assessments and giving customers confidence in the data they are receiving. By mapping assessment data against industry or custom frameworks, you’ll get immediate and actionable insights. Our objective is to help you pinpoint, measure, prioritize your risk, so you can plan accordingly and sleep soundly. To learn more, we invite you to book a personalized demo.