Light Dark
July 12, 2018 By Kevin Beaver 3 min read
Risk Management
CISO

It’s such a great feeling to check a box on your vendor security checklist. You establish a relationship with a third party — check! You meet another regulatory requirement — check! Once you’ve marked down every item and an audit turns up a clean report, the sales deal is done.

All parties involved can then go merrily on their way… until a malicious actor uncovers a security flaw that was overlooked amid all the handshakes and paperwork that went into the deal.

This security approach is especially prevalent in vendor management: One side says all is well — and the other takes this claim at face value without vetting it. This approach is not good for security, and it’s certainly not good for business.

Navigate Common Vendor Security Roadblocks

The most common (and dangerous) approach to vendor security happens when a company asks a third party for a copy of its latest vulnerability assessment or security operations center (SOC) audit report. Many people go through the motions to obtain these reports and check the box without considering how both documented and undocumented issues truly impact security.

In some cases, people are willing to look the other way or make dangerous assumptions — they’ve got to keep the business going, after all. Then, there’s the reality beyond the report. Clean reports, especially around SOC audits, are common. If there are any findings, it’s often an administrative issue related to user account management or data backups, but nothing of real substance that’s going to facilitate an incident or breach.

It’s also common for vendors to provide more in-depth vulnerability and penetration testing reports that are clean (or, at least, have minimal areas of concern). These reports are often based on network vulnerability scans that do not look at the entire IT environment — not an in-depth web application analysis.

When presented with these reports, it’s easy to overlook things like missing patches on workstations, SQL injections on web applications and misconfigured guest wireless networks. Instead of acknowledging these patch-management and security-awareness gaps, many business leaders just move on to the next big thing and sweep security under the rug.

When Talking Security, Don’t Beat Around the Bush

When it comes to security, there’s often a lack of ongoing involvement and oversight. It’s obviously important to keep the business running, but too many decision-makers assume security controls are sufficient to counter cyberattacks simply because someone else told them so.

It’s good to maintain a positive relationship with your vendors, but not at the expense of long-term cybersecurity.

It’s similar to a doctor giving a patient a clean bill of health even though he or she is masking symptoms with medication. Although the bloodwork may look good, the patient is bound to have long-term health problems unless he or she makes better lifestyle choices. Many security programs follow the same path — especially when it comes to vendor management — and it’s a recipe for an unsustainable outlay of data breaches.

Part of the challenge is that people are sometimes afraid to ask questions. They want to appear professional and nice, and this often causes them to gloss over uncomfortable subjects — namely, security. It’s good to maintain a positive relationship with your vendors, but not at the expense of long-term cybersecurity. This seems simple on the surface, but when organizational politics and high-value business deals are involved, everything gets more complicated.

Adopt a Trust-But-Verify Approach to Vendor Management

Vendor management is a hot topic today — and one that many enterprises struggle with. It doesn’t have to be terribly complicated, but it does have to be near the top of your information security program priorities. While it’s important to do right by your vendors, it’s more crucial to do what’s best for your business. That means looking beyond the paperwork, basic vulnerability checks and blind faith that the company is secure simply because someone else said so.

The best way to handle vendor security is through the old-school approach of trust but verify. Talk is cheap — and people are expedient, especially when big business deals are on the line. Try to step back and see through all the talk to truly understand what your vendors are doing.

When the going gets rough and the lawyers get involved, that’s the only defensible strategy.

Listen to the complete podcast series: Take Back Control of Your Cybersecurity now

 |  |  |  |  |  | 
Kevin Beaver
Independent Information Security Consultant

More from Risk Management
January 24, 2025

How cyberattacks on grocery stores could threaten food security

4 min read - Grocery store shoppers at many chains recently ran into an unwelcome surprise: empty shelves and delayed prescriptions. In early November, Ahold Delhaize USA was the victim of a cyberattack that significantly disrupted operations at more than 2,000 stores, including Hannaford, Food Lion and Stop and Shop. Specific details of the nature of the attack have not yet been publicly released.Because the attack affected many digital systems, some stores were not able to accept credit/debit cards, while others had to shut…

January 23, 2025

Taking the fight to the enemy: Cyber persistence strategy gains momentum

4 min read - The nature of cyber warfare has evolved rapidly over the last decade, forcing the world’s governments and industries to reimagine their cybersecurity strategies. While deterrence and reactive defenses once dominated the conversation, the emergence of cyber persistence — actively hunting down threats before they materialize — has become the new frontier. This shift, spearheaded by the United States and rapidly adopted by its allies, highlights the realization that defense alone is no longer enough to secure cyberspace.The momentum behind this…

January 21, 2025

Are attackers already embedded in U.S. critical infrastructure networks?

4 min read - The threat of cyberattacks against critical infrastructure in the United States has evolved beyond data theft and espionage. Intruders are already entrenched in the nation’s most vital systems, waiting to unleash attacks. For instance, CISA has raised alarms about Volt Typhoon, a state-sponsored hacking group that has infiltrated critical infrastructure networks. Their goal? To establish a foothold and prepare for potentially crippling attacks that could disrupt essential services across the nation.Volt Typhoon embodies a threat far beyond everyday cyber crime.…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature