Risk Grading for Enterprise Compliance Directors
September 25, 2020
This blog is usually written with the small business audience in mind. We usually post about cybersecurity topics that we believe will be useful to small business owners, small business CTOs, small business IT directors, etc. Today is different. Today, we'd like to speak to Enterprise Compliance Directors -- about their relationship with small businesses.
If you've been on either side of that relationship -- as the small business selling a product/service to an enterprise, or as the enterprise compliance director onboarding that small business -- there is a good chance that this post will bring back some memories/nightmares. Why? Because small businesses going through a vendor onboarding process with an enterprise usually do NOT ace the enterprise security questionnaire. And that can lead to rushed/haphazard remediation, negotation about which items are really the most important, promises about improved cybersecurity efforts to come, etc.
There is a lot that is broken about the way that small businesses and enterprises interact when they are navigating a vendor onboarding process together. But, one of the most strategic-level things that is going wrong, starts all the way up at something called "risk grading" -- let's explore.
What is Risk Grading?
What would you say if I told you that there is an enterprise organization that put a payroll provider through the exact same enterprise security questionnaire as an employee training vendor. After all, they are both HR-ish vendors, and both becoming new vendors for the enterprise at the same time. So what's wrong with that?
Everything. Everything is wrong about that.
A payroll provider almost certainly handles highly sensitive employee bank account information, company bank account information, authorizations to move funds around, in addition to W-2 information, 1099 information, employee addresses, etc. In comparison, what kind of sensitive information from the company, does the employee training vendor handle? Quite possibly, nothing at all. There are many employee training vendors that primarily take the role of a presenter, and don't get access to confidential information held by the company.
So why should these two vendors be held to the same enterprise security questionnaire evaluation? The answer is: they shouldn't.
Risk Grading Factors
Although we'll be posting much more about this topic in the future, we'd like to whet your appetite for some of the questions that -- if asked to vendors during onboarding -- could dramatically (and objectively!) impact your perspective on the risks that the enterprise bears by working with them. Here's a start:
- Do they receive confidential information from the company?
- Do they manage any confidential information for the company?
- Does their solution have any special internal access to company networks or servers?
- Does their service relate in any way to the company's finances?
- Does their service relate in any way to the company's personnel records?
- Does the vendor receive access to any trade secrets?
- Does the vendor receive access to any intellectual property that is likely to be patented in the future?
- Do they interact with employees in any manner that does not leave behind a log or audit trail?
- What's the size of the financial commitment from the company to the vendor - $100? $10,000? $1,000,000?
- Does the proposed agreement with the vendor have a mechanism to limit the enterprise's liability? Does it limit the vendor's liability?
- Does the vendor and/or vendor employees also do any work for any of the company's competitors?
- Do they physically access the company's facilities?
Hopefully the above list further illumates some of the reasons why different vendors merit different perspectives around their risk levels. And, why those different risk levels should (appropriately) lead to different cybersecurity diligence. That could take the form, for example, of multiple versions of an enterprise security questionnaire where certain vendors are required to complete it in entirety, whereas others are only required to complete certain subsets.
Evaluation of Cybersecurity Posture
We're not necessarily against asking vendors a superset of the questions that are appropriate for their risk level. For example, if you wanted to ask every vendor if they've received an unqualified SOC 2 Type II opinion -- that could be fine. Answering that question (with a Yes or a No) wouldn't seem to be a big burden on any vendor. However, to the extent that a "No" on that question leads to further clarifying questions, the low-risk vendors might get a much simpler path than the high-risk vendors.
So, there's the question of what question's you pose, and also the question of what conditional ramifications exist if a particular vendor cannot favorably answer the question at hand. One note of caution: in order to take special care to encourage truth-telling, it would be good to be transparent about the fact that most of the questions are not outright qualifiers/disqualifiers, but that the analysis of the vendor's risk profile is holistic based on the entire content of the questionnaire. (presuming that is indeed the case)
Wrapping Up: Enterprise Compliance Directors
Risk grading -- when done well -- should be a net positive for all stakeholders. Vendors should love it, because they get vetted at a level that is appropriate for their product/services. Folks in the enterprise compliance director role should love it -- because it gets rid of the unreasonable "one-size-fits-all" approach that creates frustration on all ends (and candidly, the enterprise compliance team tends to become the target of that frustration). And lastly, the business sponsor that is the champion of onboarding the particular vendor, should enjoy improved time-to-onboard in terms of how long it takes to get a new vendor fully approved. With that in mind, risk grading really should be an emerging topic for all enterprise compliance directors. More soon, on how Havoc Shield will play a big role in empowering organizations to do this well.