With the daily reports of large breaches and organization’s increasing dependence on other organizations for technology solutions, there is no question that third party risk management is becoming a topic that must be addressed.
The problem is:
There’s very little clear guidance on what to look for in vendors to be sure they have strong security.
So, I decided to find security leaders in the industry who have experience with mitigating third-party risk and ask them one question:

When implementing a vendor risk management program for an organization, what is the one question that you would ask a potential vendor or service provider to gauge their security posture?

Let me assure you, the insights I received from these 7 security leaders was amazing!
I’ve listed them all below.

Look for awareness training


Miguel Silvestre, CEH – Security, Privacy, and Risk Associate

I think that one of the prevalent issues in risk and security is user awareness training. So if I could ask a potential vendor a question, it would be, “Do you carry out end-user security awareness training and/or assessments and what does it involve?”

What’s your incident response


Mireya Melendez, Manager, Audit & Readiness | Security Engineering Manager | IT Management Professor

What is your most effective strategy to implement in an organization to manage Incident Response and continuously monitor their information security?

How do they handle their third parties?


Adam Gordon, Edutainer & SME | ITPROTV

I counsel my clients to Always Be Prepared, focusing on risk wherever and whenever it may appear.
I would ask how the vendor or service provider applies that philosophy in their operations both internally and externally with their own extended supply chain, and I would want specific/documented examples of the controls/countermeasures and verification mechanisms employed to support the answers.
For instance, do they respond by citing NIST SP-800 161, NIST HB-162, ISO/IEC 27000 and 27001, and the CSA Cloud Controls Matrix as examples of guidance being employed to manage risk.
If the vendor is able to provide a coherent and meaningful response, then I would be interested in a dialogue that may lead to partnership. If, on the other hand, the vendor questions the need to discuss the request and provide honest answers within reason, then I would tell my client that we need to look elsewhere for services.

Look for organized frameworks


Christopher Foulon, Senior Cyber Risk Management Consultant

Has your organization implemented a framework like NIST CSF to ensure that you controls across the different domains and moves from a compliance based approach to utilizing a risk based approach?

Compliance Audits


Gil Vidals, CEO – VMRacks – HIPAA Web Hosting

Does your company perform compliance audits relative to industry requirements/standards?

Who’s the CISO’s boss?

Matthew Fisch, CEO – FortMesa


I would ask who the CISO reports to (both direct and dotted line). As a follow-up I would ask who signed their security charter.

Do you know your data flows?


Randall McNeely, President – Cybersecurity Risk and Technology Consultant

How well do you understand the data flows coming into and exiting your network and what are you doing to securely control them? In other words, how well do you understand your attack surface and what are you doing to shrink it to the smallest size possible?


What an amazing collection of useful advice.

Now I want to turn it over to you.

What is your top third-party risk management question for gauging supplier security practices? Let me know by leaving a comment below right now.

Leave a Reply

Your email address will not be published. Required fields are marked *

About SmartFix

We are a family owned business that provides fast, warrantied repairs for all your mobile devices.

Brooklyn Area

2307 Beverley Rd Brooklyn, New York 11226 United States

1000 101-454555
[email protected]

Store Hours
Mon - Sun 09:00 - 18:00

San Francisco Area

358 Battery Street, 6rd Floor San Francisco, CA 27111

1001 101-454555
[email protected]

Store Hours
Mon - Sun 09:00 - 18:00

121 Resources for you to:

Learn & Master Cyber Security
Send Me the PDF

Get Instant Access! 
Your information will never be shared

Reasons to Subscribe to the CyberX Email List:


 1. Free Stuff 
You'll get instant access to free resources. 

 2. Content Tailored to You 
Over time, Ill get to learn more about you and deliver content that actually matters

 3. No Hype 
Just real content that's meant to make a difference. 


Download the PDF Version Of This Guide

Want to save this guide for later? I'll email you the PDF for free.