With the daily reports of large breaches and organization’s increasing dependence on other organizations for technology solutions, there is no question that third party risk management is becoming a topic that must be addressed.
The problem is:
There’s very little clear guidance on what to look for in vendors to be sure they have strong security.
So, I decided to find security leaders in the industry who have experience with mitigating third-party risk and ask them one question:

When implementing a vendor risk management program for an organization, what is the one question that you would ask a potential vendor or service provider to gauge their security posture?

Let me assure you, the insights I received from these 7 security leaders was amazing!
I’ve listed them all below.

Look for awareness training

0-2

Miguel Silvestre, CEH – Security, Privacy, and Risk Associate

I think that one of the prevalent issues in risk and security is user awareness training. So if I could ask a potential vendor a question, it would be, “Do you carry out end-user security awareness training and/or assessments and what does it involve?”

What’s your incident response

0-3

Mireya Melendez, Manager, Audit & Readiness | Security Engineering Manager | IT Management Professor

What is your most effective strategy to implement in an organization to manage Incident Response and continuously monitor their information security?

How do they handle their third parties?

0-4

Adam Gordon, Edutainer & SME | ITPROTV

I counsel my clients to Always Be Prepared, focusing on risk wherever and whenever it may appear.
I would ask how the vendor or service provider applies that philosophy in their operations both internally and externally with their own extended supply chain, and I would want specific/documented examples of the controls/countermeasures and verification mechanisms employed to support the answers.
For instance, do they respond by citing NIST SP-800 161, NIST HB-162, ISO/IEC 27000 and 27001, and the CSA Cloud Controls Matrix as examples of guidance being employed to manage risk.
If the vendor is able to provide a coherent and meaningful response, then I would be interested in a dialogue that may lead to partnership. If, on the other hand, the vendor questions the need to discuss the request and provide honest answers within reason, then I would tell my client that we need to look elsewhere for services.

Look for organized frameworks

0-5

Christopher Foulon, Senior Cyber Risk Management Consultant

Has your organization implemented a framework like NIST CSF to ensure that you controls across the different domains and moves from a compliance based approach to utilizing a risk based approach?

Compliance Audits

0-6

Gil Vidals, CEO – VMRacks – HIPAA Web Hosting

Does your company perform compliance audits relative to industry requirements/standards?

Who’s the CISO’s boss?

Matthew Fisch, CEO – FortMesa

0-7

I would ask who the CISO reports to (both direct and dotted line). As a follow-up I would ask who signed their security charter.

Do you know your data flows?

0-8

Randall McNeely, President – Cybersecurity Risk and Technology Consultant

How well do you understand the data flows coming into and exiting your network and what are you doing to securely control them? In other words, how well do you understand your attack surface and what are you doing to shrink it to the smallest size possible?

Conclusion

What an amazing collection of useful advice.

Now I want to turn it over to you.

What is your top third-party risk management question for gauging supplier security practices? Let me know by leaving a comment below right now.

Leave a Reply

Your email address will not be published. Required fields are marked *

About SmartFix

We are a family owned business that provides fast, warrantied repairs for all your mobile devices.

Brooklyn Area

2307 Beverley Rd Brooklyn, New York 11226 United States

1000 101-454555
[email protected]

Store Hours
Mon - Sun 09:00 - 18:00

San Francisco Area

358 Battery Street, 6rd Floor San Francisco, CA 27111

1001 101-454555
[email protected]

Store Hours
Mon - Sun 09:00 - 18:00

121 Resources for you to:

Learn & Master Cyber Security
Send Me the PDF
close-link
Get the Exclusive Bonus
Privacy Checklists and My Favorite Resources

Get Instant Access! 
Your information will never be shared
close-link
LET'S FIGURE OUT HOW TO HELP YOU BECOME A CYBER HERO + FREE STUFF!

Reasons to Subscribe to the CyberX Email List:

 
CLICK HERE TO SUBSCRIBE

 1. Free Stuff 
You'll get instant access to free resources. 

 2. Content Tailored to You 
Over time, Ill get to learn more about you and deliver content that actually matters

 3. No Hype 
Just real content that's meant to make a difference. 
 

close-link

Download the PDF Version Of This Guide

Want to save this guide for later? I'll email you the PDF for free. 
 
DOWNLOAD THE FREE GUIDE
close-link
CCPA Virtual Summit  by CyberX -
October 21 - 23

MASTER CCPA COMPLIANCE

  • 20 Expert-Taught Masterclasses
  • Live Q&A with industry leaders
GET A FREE TICKET
close-link

SAVE MY SPOT!

How would you like us to help you?

Reserves
I want to do my own security using CyberX's proven frameworks.
Warrior
I want CyberX to do my cybersecurity WITH me
We've put together frameworks and guides for you to build a cybersecurity and compliance program
CyberX will help build strategies and/or consult with you or your team to set you in the right direction. Execution is not included.

Tell us about you and your business

It proviedes us with necessary insight into your business and goals

Name

Email

Phone

Only 1 more step

It allows us to create a plan to reach your goals much faster

Monthly IT Budget

Company Name

Almost Ready

What are your struggling with?

What services are you looking for? (Check all that apply)

...expect a quick reply from our team soon!

SEND US YOUR REQUEST