What's Broken about Enterprise Security Questionnaires
October 06, 2020
Cyber Security | Enterprise Security Questionnaire
Normally we put all of our focus on helping small businesses with cybersecurity, but today we're here to talk with enterprise compliance teams about their enterprise security questions.
Bad news: almost all of the questions we've seen are broken. Good news: they are fixable. Let's explore.
When a small business is on the cusp of closing out an enterprise sale, that is a big deal to the whole small business. It's high stakes for them. They'd be willing to hop over just about any hurdle you ask them to. But what if there are 200 different hurdles, some of which matter a ton, others don't matter much at all, and all of the hurdle heights are obscured. Sound hard? It is. Here's what's broken about enterprise security questions.
1. Irrelevant Questions Cause Misplaced Effort
Suppose you (the enterprise compliance team) are vetting a small business that supplies sales leads to your sales team. The supplier handles the process of searching various databases, doing additional primary research about the leads, and delivering a list of promising sales leads to your organization. Geeking out for just a moment here, suppose the vendor's workflow primarily involves data flowing into your enterprise (from the vendor), with very little if any data flowing out of your enterprise (to the vendor).
What's the more relevant enterprise security question for the small business to really make sure they have a great plan for?
- Will personally identifiable information disclosed by enterprise to vendor be stored on single-tenant or multi-tenant infrastructure, and what intrusion detection systems exist on the perimeter of the infrastructure?
- How do you ensure that any information you convey to the enterprise is licensed from data sources that allow unlimited usage by the enterprise?
Let's review the small business vendor's situation: they are responsible for relaying information into the enterprise, and they receive almost no dataflow out of the enterprise. Just with that fact, you know that question #1 could send the small business into a scramble to mitigate a problem that doesn't exist. It is not a stretch at all to imagine a small business reading question #1, assuming that the question must be answered favorably to obtain approval, and scrambling to implement a single-tenant system with it's own intrusion detection system. All of which provides little or no value at all to the enterprise in this hypothetical scenario.
Question #2, though, is vital to the arrangement at hand. It's essential that if the vendor is supplying sales leads to the enterprise, that the vendor be able to track the data usage rights that they are able to commit to providing -- given that the vendor may be sourcing the data from a variety of sources each with their own unique licensing rights.
2. The "Thud Factor" Creates Friction
How do you feel when you ask a colleague for a report on a particular topic, and what comes back is the most thorough, well assembled, detailed analysis that you could have ever imagined. You open it and it not only answers the five questions you had, but also the ten questions you didn't think to ask. It's a terrific feeling. The "thud" of that lengthy analysis landing (well, virtually) is a wonderful preamble to you feeling more than prepared about the topic.
Now let's talk about a different "thud factor" -- the moment that a short-staffed small business receives 300 enterprise security questions in an intricately formatted spreadsheet. Without specialists on staff in many of the covered areas, even the first tab of the spreadsheet contains questions they don't understand, and that's without tabbing through the other 10 sections. It's immediately overwhelming. It's like dropping a 1000 page contract on a new paralegal. It's like handing an AP Calculus test to a middle school geometry student. It's like handing a Fortune 500 company's tax return to a small business tax preparer for audit. Translation: it's overwhelming. In a bad way.
Enterprise security questions that have been filtered for relevancy (preferably using risk-grading), is the best practice to avoid the really unpleasant "thud factor" that is otherwise a sour start to what could otherwise be an outstanding vendor relationship.
3. Low-Tech Excel Versioning
Which version of the enterprise security questions did the new vendor most recently send? Was it Responses - Section 1 2 and 7.xlsx? Was it Responses - Preliminary with Clarifying Questions.xlsx? Was it Responses - Final 10.07.2020 - edited.xlsx? Maybe Responses - Final 10.07.2020 - Edited 10.09.2020.xlsx?
None of the manual versioning or email attachment juggling is any fun for either side. A modern web interface allowing realtime edits and submissions, would beat the Excel approach any day.
Enterprise Security Questions: Wrapping Up
Both sides know that enterprise security questions are necessary. There is no getting around the idea that enterprises need to vet small businesses before pulling them in close as a vendor. That's all fine and expected.
However, when questions that are not contextually relevant to the relationship distract from ones that are, when the "thud factor" of an overwhelming question set arrives, or when excel versioning adds unnecessary friction... both sides are worse off. Enterprise compliance teams: any of these problems sound familiar to your process? Drop us a line, we'll be glad to help transform your enterprise security questionnaire into a modern process.