Vendor Onboarding Posts

We've talked frequently about what to expect on enterprise security questionnaires. When founders know what to anticipate on those types of questionnaires, they get a head start on preparing proactively. That preparation can make all the difference when it comes to persuading a large enterprise that a startup is mature enough to be relied upon for business critical operations.

But, a sticking point in those conversations between founders and enterprise compliance teams can be... well... compliance. Some compliance obligations are not ones that can be satisfied overnight; some take weeks or months (and occasionally years) to get right.

So, founders are especially wise to try to anticipate what compliance questions they might face in enterprise security questionnaires. With that information in hand, founders are equipped to go on the dual track that we most frequently recommend: preparing compensating controls until compliance can be fully achieved, while also beginning to pursue formal compliance (even if that takes awhile).  We see this very frequently with SOC 2: we often find that our clients are able to satisfy an IT compliance team by demonstrating sophistication on the types of controls that are often relevant to SOC 2, even if they don't yet officially have a clean SOC 2 report supplied by an auditor. When they do finally obtain the report, it further cements their credibility with the enterprise they are doing business with.

When a founder-led business gets their first Vendor Security Assessment, it's a bittersweet moment. On the positive side, it usually means that the startup is being taken seriously by an enterprise -- often a prospective customer. On the negative side, a tough vendor security assessment often puts a startup on its heels as far as figuring out a way to acceptably answer the difficult questions therein.

One topic that comes up frequently, is testing. Enterprises know that early-stage companies are often highly resource-constrained, and it begs the question of whether the product/solution has been tested in a way that gives confidence that the startup can deliver way they say they'll deliver. From the enterprise's perspective, probing on testing practices is just a "common sense" way to get a sense for the maturity of the small business that they are considering working with.

But, what types of tests are startups being asked about, in a typical Vendor Security Assessment? We set out to answer precisely that question, by analyzing our internal archive of vendor security assessments, and here's what we found.

Vendor Security Assessments are slooooow to change. If there is one part of a large enterprise that has a thankless job, it's the IT compliance team that is charged with creating, revising, and reviewing vendor security assessment processes and forms. Make it too difficult, and business sponsors (buyers) across the company get upset that it takes too long to onboard their favorite new vendor. Make it too easy, and the enterprise takes on headline-grabbing cybersecurity risk that has wide-reaching regulatory and reputational impact.

So, in the face of these opposing pressures, what happens to an enterprise's vendor security assessment forms / questionnaires over time? In our observation, almost nothing. You heard that correctly: the vendor security assessments that a particular enterprise had in place 12 months ago, are almost certainly what they have in place currently.

Far too many vendor onboarding processes -- especially those that don't leave room for compensating controls -- feel like they are destined to be combative from the start.  In the typical storyline, a tiny company is working feverishly to sell its products or services to an enterprise, and after gaining support of the "sponsor" (business decision maker), the vendor onboarding process kicks into action.  The only problem?  It often involves dozens-to-hundreds of nuanced cybersecurity questions that the tiny company is ill equipped to answer.  And that puts in jeopardy all of the good work that the small business and the enterprise can do together -- because the path to collaboration starts by running the gauntlet through the vendor onboarding process.  And that process is far from guaranteed to lead to approval.