Vendor Onboarding Posts

Enterprise Security QuestionnairesVendor Onboarding

The Questions that 96% of Enterprise Security Questionnaires Ask

We've talked frequently about what to expect on enterprise security questionnaires. When founders know what to anticipate on those types of questionnaires, they get a head start on preparing proactively. That preparation can make all the difference when it comes to persuading a large enterprise that a startup is mature enough to be relied upon for business critical operations.

But, a sticking point in those conversations between founders and enterprise compliance teams can be... well... compliance. Some compliance obligations are not ones that can be satisfied overnight; some take weeks or months (and occasionally years) to get right.

So, founders are especially wise to try to anticipate what compliance questions they might face in enterprise security questionnaires. With that information in hand, founders are equipped to go on the dual track that we most frequently recommend: preparing compensating controls until compliance can be fully achieved, while also beginning to pursue formal compliance (even if that takes awhile).  We see this very frequently with SOC 2: we often find that our clients are able to satisfy an IT compliance team by demonstrating sophistication on the types of controls that are often relevant to SOC 2, even if they don't yet officially have a clean SOC 2 report supplied by an auditor. When they do finally obtain the report, it further cements their credibility with the enterprise they are doing business with.

Enterprise Security Questionnaires ask about Compliance and Regulation
Enterprise Security QuestionnairesVendor Onboarding

4 Common Tests Requested in a Vendor Security Assessment

When a founder-led business gets their first Vendor Security Assessment, it's a bittersweet moment. On the positive side, it usually means that the startup is being taken seriously by an enterprise -- often a prospective customer. On the negative side, a tough vendor security assessment often puts a startup on its heels as far as figuring out a way to acceptably answer the difficult questions therein.

One topic that comes up frequently, is testing. Enterprises know that early-stage companies are often highly resource-constrained, and it begs the question of whether the product/solution has been tested in a way that gives confidence that the startup can deliver way they say they'll deliver. From the enterprise's perspective, probing on testing practices is just a "common sense" way to get a sense for the maturity of the small business that they are considering working with.

But, what types of tests are startups being asked about, in a typical Vendor Security Assessment? We set out to answer precisely that question, by analyzing our internal archive of vendor security assessments, and here's what we found.

Vendor Security Assessment - 4 Most Common Tests
Enterprise Security QuestionnairesVendor Onboarding

6 Old Fashioned Questions in Vendor Security Assessments

Vendor Security Assessments are slooooow to change. If there is one part of a large enterprise that has a thankless job, it's the IT compliance team that is charged with creating, revising, and reviewing vendor security assessment processes and forms. Make it too difficult, and business sponsors (buyers) across the company get upset that it takes too long to onboard their favorite new vendor. Make it too easy, and the enterprise takes on headline-grabbing cybersecurity risk that has wide-reaching regulatory and reputational impact.

So, in the face of these opposing pressures, what happens to an enterprise's vendor security assessment forms / questionnaires over time? In our observation, almost nothing. You heard that correctly: the vendor security assessments that a particular enterprise had in place 12 months ago, are almost certainly what they have in place currently.

Vendor Security Assessments - Legacy Questions
Enterprise Security QuestionnairesInfosec TrainingVendor Onboarding

Vendor Risk Assessments & Security Awareness Training

Before we get into the interplay between vendor risk assessment and security awareness training, let's get one thing out of the way right here at the top. There are bona fide, important, practical reasons why you absolutely should be doing security awareness training for your team regardless of whether a vendor risk assessment ever asks you to do so. It's a smart move either way.

However, as a company that specializes in working with founding teams, we know that sometimes an early-stage venture hits a growth stride so quickly that the forcing function (a vendor risk assessment) arrives faster than the intuitive thought of "we should probably be doing some security awareness training" -- and we certainly empathize with founders in that situation.

Security Awareness Training and Vendor Risk Assessments
Cyber SecurityEnterprise Security QuestionnairesVendor Onboarding

Vendor Risk Assessments & Hidden Recurring Commitments

When founding teams find a way to survive their first vendor risk assessment -- usually on the tail end of making their first enterprise sale -- it's a moment that calls for celebration. At Havoc Shield, one of the absolute best moments for us is when a client calls us back and says "with your help, we made it through that security questionnaire" -- it's a celebration on our end too! But, is the end of a vendor risk assessment the final chapter in the vetting that the startup will face from their new enterprise customer? In a word, no. We'll explore below.

When Vendor Risk Assessments Trigger Recurring Security Requirements
Cyber SecurityInfosec PoliciesVendor Onboarding

The #1 Policy Request in a Vendor Risk Assessment

recently dug through 100+ vendor risk assessment templates and released some of our initial findings. We're motivated to understand the prevailing norms in these types of assessments/questionnaires because our clients tend to find themselves on the receiving end of these types of documents on a frequent basis. When we can do a great job of helping our clients predict what security questions are likely to arise, it helps our clients prioritize what security controls to push closer to the top of the prioritization stack. One of the topics that is almost always covered in vendor risk assessment is the matter of infosec policies and infosec plans.  88% of the vendor risk assessments in our analysis contained questions about plans and policies.

Number 1 Most Requested Infosec Policy
Cyber SecurityEnterprise Security QuestionnairesRemote WorkSOC 2Vendor OnboardingWFH Cybersecurity

9 Small Business Cybersecurity Wakeup Calls for Founders

Every day we talk with startup founders about small business cybersecurity. Although we'd love to speak with founders that spontaneously decided to "do more" about cybersecurity, our conversations usually start very differently than that.

Most often, there is a very specific and urgent cybersecurity-related need at hand. And an urgent call to our team for help thinking it through. We're happy to help -- not a problem! However, for the benefit of founders that haven't yet hit one of those moments, here's what folks a few steps ahead of you are running into. We're glad to help with these more proactively if you'd like, to save a hectic scramble later.

9 Small Business Cybersecurity Wakeup Calls Founders Do Not Want
Enterprise Security QuestionnairesVendor Onboarding

Compensating Controls and Campfires

Far too many vendor onboarding processes -- especially those that don't leave room for compensating controls -- feel like they are destined to be combative from the start.  In the typical storyline, a tiny company is working feverishly to sell its products or services to an enterprise, and after gaining support of the "sponsor" (business decision maker), the vendor onboarding process kicks into action.  The only problem?  It often involves dozens-to-hundreds of nuanced cybersecurity questions that the tiny company is ill equipped to answer.  And that puts in jeopardy all of the good work that the small business and the enterprise can do together -- because the path to collaboration starts by running the gauntlet through the vendor onboarding process.  And that process is far from guaranteed to lead to approval.

Cyber SecurityVendor Onboarding

Vendor Risk Management & Nobody Gets Fired for Hiring IBM

Ever hear the famous saying about vendor risk management? "Nobody ever gets fired for hiring IBM."  

We don't hear this saying as much as we used to a few years ago, but the concept is still a thought provoking one -- especially for those of us that spend time in the vendor risk management arena.  And it applies far beyond the specific company cited in the saying.  Here's why it's worth reflecting on this saying today.

Vendor Risk Management - Nobody Gets Fired