Compensating Controls and Campfires
October 19, 2020
Enterprise Security Questionnaires | Vendor Onboar
Far too many vendor onboarding processes -- especially those that don't leave room for compensating controls -- feel like they are destined to be combative from the start. In the typical storyline, a tiny company is working feverishly to sell its products or services to an enterprise, and after gaining support of the "sponsor" (business decision maker), the vendor onboarding process kicks into action. The only problem? It often involves dozens-to-hundreds of nuanced cybersecurity questions that the tiny company is ill equipped to answer. And that puts in jeopardy all of the good work that the small business and the enterprise can do together -- because the path to collaboration starts by running the gauntlet through the vendor onboarding process. And that process is far from guaranteed to lead to approval.
If you came here to learn what compensating controls have to do with campfires, we've got that answer too, but we'll save that for a little later in the article.
Classifying the Most Difficult Questions
Setting aside the questions where the small business is able to affirmatively and confidently state that they are compliant in the area probed by the question, here is how we "bucket" all of the other questions.
- Known Status - Non-compliant: the small business understands the question, but does not have the process, system, or policy that the question implies to be required (Q: "Have you received an unqualified SOC 2 Type II opinion in the past 12 months?"; A: "No")
- Unknown Status: the small business understands the question, but does not know whether they are or are not in compliance (Q: "Is your website WCAG 2.1 AA complaint?"; A: "Our web design is intended to be compatible with screen readers and other accessibility tools, and therefore we are comfortable submitting to any WCAG 2.1 AA testing that you desire, but we do not have any pre-existing WCAG 2.1 AA testing results.")
- Question Not Understood: the small business does not have personnel familiar with the terminology or nature of the question and therefore is not sure how to best answer the question (Q: "Does your website employ a signature-based IDS?" )
Stakeholders on both sides of the conversation can relate to these buckets. If you've been on the vendor side, trying to work through answering a lengthy security questionnaire, you know they can create a high degree of anxiety. If you've been on the enterprise/buying side of the equation, you know it doesn't look good when a security questionnaire comes back with a large number of problematic responses. No one wants the vendor onboarding process to lead to an impasse, but sometimes it is difficult (for both sides) to see a way through to the finish line.
Navigating Questions when the Answer Isn't "Yes"
We (Havoc Shield) have strong opinions about how small businesses and enterprises can (together) navigate these "problem questions" in a way that gets to a good outcome for both organizations. But, for today's purposes, we're going to focus specifically on items that are in bucket #1. Those are cases where the enterprise has asked a clear question, the small business understands the question, and the small business (unfortunately) knows that they are not compliant with the topic raised by the question.
Before we get into our advice (for both sides), let's get real about what often happens in this situation. A story told all-to-frequently is that an enterprise's questions are intimidating and anxiety-inducing for the small business, and that the small business feels obligated to comply with the question as-stated. In reality, there might be a wide variety of other possible ways to satisfy the question, but those "other ways" are often less-than-clear to the small business (and sometimes less-than-clear to the enterprise). They are called Compensating Controls.
Compensating Controls and Campfires
To understand compensating controls, let's step waaaay back. Let's not even talk about technology. Let's say that you are lighting a fire in a backyard (or park) fire pit and you've realized (against your preferences) that you don't have a fire extinguisher nearby (you prefer to be sure that you've got a plan in case something gets unexpectedly out of control). What controls can you have in place, to compensate for that deficiency?
Well, you could have a bucket of water nearby. You might be able to pull a garden hose nearby. You might have a grate that you can put over the fire that catches some of the embers that might otherwise fly away. You might avoid using paper or cardboard during the firestarting process, since bits of ignited paper or cardboard can sometimes fly out of the pit. You might even bring baking soda (borrowing from the age-old kitchen advice for putting out a fire). You might carefully limit the amount and type of wood that you put into the fire, to keep it small. You get the idea.
My bet is that with these or other compensating controls, you'll succeed at having a safe and enjoyable campfire even though you are missing your preferred safety control.
Compensating Controls for Enterprise Security Questions
Let's come back to technology land, now. Suppose that one of the questions that the vendor is having difficulty answering, is:
"Do you enforce the use of encryption at rest via group policy?"
To an IT systems administrator, this question has a very specific meaning. Most would interpret it as requiring the company to have a "Group Policy" (with the help of Active Directory), enforcing the use of Bitlocker on all company computers. But what if you don't have that set up? Moreover, what if you don't even have Active Directory set up at all, and have no Group Policies? There may still be a way through. What if you implemented one or more of the following compensating controls:
- All company laptops are provisioned by IT personnel with documented steps that include enabling bitlocker encryption
- Company laptops have a device management agent pre-installed prior to employee use, that allows the company to monitor local settings including the status of bitlocker encryption
- Company laptops are only used to "remote in" to virtual machines in the cloud; each such virtual machine has bitlocker encryption enabled.
- Company agrees to supply screenshots demonstrating that bitlocker encryption is turned on, for each of the three individuals that are working on the project that relates the the enterprise agreement
These are all reasonable compensating controls that mitigate some of the risk associated with not being in compliance with the specific question posed by the enterprise. Are these compensating controls enough to satisfy both parties? That's situation-specific. However, these compensating controls are examples of ways to advance the conversation beyond the binary question of whether the small business can answer "Yes" to the specific originally-stated question.
Wrapping Up: Compensating Controls
We think that compensating controls are the path to take an anxiety-filled process and turn it into a more collaborative one where both parties work together to find a satisfactory way through the process. We work with stakeholders on both side of the conversation -- if you are a small business struggling through a questionnaire, or an enterprise dissatisfied with the rigidity of your questionnaire -- either way, we're here to help.