Tackling cyber risks head-on using security questionnaires

In this Help Net Security interview, Gaspard de Lacroix-Vaubois, CEO at Skypher, talks about the implementation of security questionnaires and how they facilitate assessments and accountability across all participants in the technology supply chain, fostering trust and safeguarding sensitive data.

Many organizations overlook the critical role of security questionnaires in risk assessment. Could you elaborate on why they are essential in today’s business environment?

I think security questionnaires are an essential part of third-party cyber risk management in order to accurately assess the security of the whole technology supply chain. Strengthening cybersecurity “at all levels—from those who collect data to those who transmit it, process it, store it, and use it—will be crucial” for personal data protection, according to the European Commission’s in-house think tank.

SMEs are in most cases data processors for their bigger counterparts, meaning that they are not in contact with the end clients. These end clients are most of the time not aware that the service they have bought from a vendor uses all these other providers to operate. This is why it is more important than ever to make sure your vendors maintain the same high security standards as your organization to build trust with the end customers. Security questionnaires help holding every participant of the cyber supply chain accountable.

A holistic and risk-aware approach required to ensure cybersecurity and data protection in today’s interconnected business environment. Security questionnaires play a crucial role in this endeavor by facilitating assessments and accountability across all participants in the technology supply chain, ultimately fostering trust and safeguarding sensitive data.

What are some common mistakes organizations make when implementing security questionnaires in their cybersecurity frameworks?

Many organizations try to rely on common standards or framework instead of doing their own risk assessment process regarding their vendors. Organizations should assess their vendors individually depending on the level of access they have to their internal systems and data. Is this vendor processing our customer’s data? Also a general feedback we get at Skypher from our customers is that they very frequently receive security questionnaires that are totally inappropriate to their business or technology. For example a cloud SaaS solution is usually hosted on the servers of a big cloud provider such as AWS, GCP or Azure and should not be audited as a licence type of software which manages their own servers and infrastructure.

Another good example of that is when you are buying a self-hosted or on-prem solution, all questions regarding network or infrastructure are irrelevant since you’ll be managing that, not the vendors. This can lead to a lot of frustration on the vendor side since they have to answer 300 questions that are totally not applicable to their relationship with the organization. Communication and feedback are essential here, organizations and vendors should maintain open lines of communication regarding security assessments. Vendors should feel comfortable providing feedback on the appropriateness of the questions they receive, and organizations should use this feedback to refine their assessment processes over time.

While customization is important, organizations can still use standardized frameworks (e.g., NIST Cybersecurity Framework, ISO 27001) as a foundational guideline for vendor assessments. These frameworks provide a structured approach to cybersecurity and can be adapted to suit the specific needs of each vendor.

Could you provide some examples of how overwhelming information could compromise the effectiveness of a security questionnaire?

There are three main aspects that compromise the effectiveness of a security questionnaire:

First of all, they are a costly process due to the significant resources needed to respond to them internally (on top of a shortage of infosec professionals). Second, they are a time consuming and repetitive task which can cause employee turnover within security and GRC teams (imagine asking your new security analyst to do this 100% of his time). Finally, security questionnaires can cause important delays in the sales cycle as the security and compliance department become the bottleneck of the sales cycle as it can take up to a month to complete due to the numerous stakeholders.

What responsibilities do vendors have when answering security questionnaires, and how can they best prepare for it?

Vendors have significant responsibilities when answering security questionnaires from their customers or partners. It is essential for them to demonstrate their commitment to cybersecurity and to build trust with their clients.

Key responsibilities include:

• Accuracy and transparency: Vendors must provide accurate and honest responses to all questions in the security questionnaire. It is okay to have some weakness if there is already a timeline for remediation. It will build far more trust if your customers feel that you are aware of some of your weaknesses and that there is already a security roadmap in place to remediate them!
• Responsibility towards the end-client: Many end clients may not be aware of the complex network of service providers involved in delivering the services they use. Trust in data security is placed in the hands of the primary vendor (the organization), making it crucial for third-party vendors to accurately respond to questionnaires and maintain the same level of security.
• Accountability: Vendors are responsible for all the responses they give in security questionnaires and are held accountable if they fail to demonstrate what they said.
• Communication: Vendors should communicate any changes in their security assessment responses as soon as possible for the organization to take into account these changes into its own risk assessment.
• Speed: Vendors should respond to security questionnaires promptly and within the specified deadline. Delays can create doubts about a vendor’s commitment to security.

Here are a few best practices vendors should implement to be best prepared:

• Appoint a person leading & responsible for security: this could be your CTO if you’re a startup or a security professional at larger organizations.
• Documentation: endors should first have their security documentation ready to share with existing and prospective customers. It should be as easy as signing an NDA and then have access to for example the latest pentest report of the vendor.
• Standardized responses: Create standardized responses to common security questions. These templates can be used as a starting point for questionnaire responses and ensure consistency in answers.
• Review process: Implement a rigorous review process to verify the accuracy of responses before submission especially if there are a lot of stakeholders involved.
• Keep a record of them for future audits: This history can be valuable for future assessments and audits.

With the evolving landscape of cybersecurity, how do you see the role of security questionnaires changing in the coming years?

I think the role of security questionnaires will be central to the future of the cybersecurity supply chain. I think it will evolve in a more efficient and dynamic way.

The recent progress in AI will enable vendors to automatically respond to a lot of the questions if they have the right tooling and data internally. I also believe that organizations should implement easier ways for their vendors to deal with security questionnaires. For example you could answer at first a few questions regarding the level of access you have, if your solution is cloud based, self-hosted or on-prem at the customer’s premise. Then a custom questionnaire will be generated to accurately evaluate the level of security you maintain and will eliminate some questions that are irrelevant. Thus reducing the sentiment of frustration and ineffectiveness of the process for everyone.

It’s crucial for organizations to adopt a more flexible and collaborative approach to vendor assessments. This involves working closely with vendors to tailor the assessment to their specific circumstances, avoiding unnecessary or irrelevant questions, and streamlining the assessment process.