Vendor Security Assessments Done Right
Editor's note: Dave Anderson, Director of Security & IT at Greenhouse, gave us the pleasure of presenting best practices around vendor security assessments at Kisi’s Office Automation for IT Meetup Vol 2.
Dave’s vision is to lift the standards of how companies do vendor security reviews and show that it doesn’t have to be difficult. Over time, not only has Dave and his team transformed Greenhouse into a secure product, but also helped established itself as a company with an edge in security.
For the uninitiated, awesome companies use Greenhouse and they pride themselves on building thoughtful software for real people. They have had the opportunity to work with so many great companies from tech to agencies, but also organisations in healthcare, education, finance and enterprise industries.
Thanks so much Dave for sharing these best practices!
Greenhouse’s approach to vendor security
Being a SaaS product with responsibility over our customers’ sensitive recruiting data, we constantly have to fill out long spreadsheet questionnaires from prospects when they were evaluating the security of Greenhouse. At a certain point, when I had the bandwidth, I decided we should start holding our vendors to the same standard. Around the same time, we started working towards building out a formal compliance program to complement our existing security program. I found that properly vetting vendors was also required by these compliance frameworks like SOC 2 and ISO 27001, so learning how to do it the right way quickly became a priority.
Today we add a security review to the procurement process ensuring that any vendor who could impact information security is properly vetted before we sign the contract.
Generally my approach to vendor security assessments consists of three parts:
- Why assess the security of your vendors?
- How do we do it at Greenhouse?
- How did we come up with our vendor security review template?
Let’s dive in:
Why assess the security of vendors?
Security is all about managing risk. If you were to do everything yourself, you have full control over everything, but doing so would be unrealistic since you can never have the time, resources, and know-how to do it all yourself. Instead, we choose to outsource certain functions - whether that be buying some hardware and/or software (on premises or SaaS) or hiring a company to perform some task.
When you are looking to buy that product or service you need to take a few major things into consideration:
- How does the vendor impact my own security posture?
- What data of mine or my customers do they have access to?
- What would the impact be to my business if the vendor had a security incident?
When evaluating and implementing these outside resources you want to ensure you are not increasing your attack surface and of that, the associated risks. For example, some services potentially impact all customer data and would have a large risk associated with them.
How do we do it at Greenhouse?
We started with reviewing existing vendors who had the most access to our customer data. We started out basic, asking for their SOC 2 Type 2 report or ISO 27001 certificate and Statement of Applicability, and asking them some basic questions about their security program and processes.
You may be thinking that having a SOC 2 attestation or ISO 27001 certification may not be an indicator of good security, and you would be right. However, the existence of these gives an indicator how mature the company is, their willingness to allocate budget to security-related programs, and insight into what their processes and controls may be.
For smaller vendors who have not gone through the process or cannot afford to have a SOC 2 or ISO audit, the next option is the dreaded security questionnaire. Be mindful when sending this out. There is no reason to send a small vendor who has little risk to your business a spreadsheet with 500 questions on it when a phone call or email to ask the 20 most impactful things will do.
Remember that someone has to spend time handling the review both at your company and at your vendor, so there is a large potential cost to it.
The people in various departments that purchase software or services are the ones you need to work with the most to ensure that you are having the opportunity to evaluate the security of your vendors. Make sure they loop you in when they are about to buy that new sales tool that requires access to your sales team’s email or IT when they are looking for new cloud backup software.
Do not treat this as a checkbox compliance activity. Follow up with the vendors, even if everything looks good. If everything is not up to your standards, work with the vendor. Most vendors want to improve!
After consistent follow up with our vendor or in-house purchasers at Greenhouse, we received the information from many of the vendors we were reviewing. For example, if the sales team buys a salesforce plugin, the team would need to loop us in so they are not putting the data that that plugin accesses at risk.
Negotiating to ‘Yes’
Our attitude towards our vendors is always to not be afraid to say ‘no’ if they cannot meet our requirements. Talk it through with the vendor, work with them, many will be willing to make improvements. If it is critical, get it in the contract.
This could mean that they commit to publish a certain feature within a certain timeline, or that we could go into a trial phase with their product to give them some time to upgrade their security before full deployment. If there is a way to use the product that would benefit the company, we believe in spending time and effort to work through any security issues.
How to get started and develop a vendor security review process?
The first step is to define the risk profile of the company. What are you trying to protect? Where does it live? What would happen if it got in the hands of someone who should not have it, or was inaccessible to someone who should? The core focus should be risk assessment to our people, process and data.
To start, you need to do a risk assessment which sounds a lot more complicated than it is. Bring people from various departments of the company into a room together and start brainstorming the different risks to the company. It is a great team activity and amazing some of the things people with a different perspective come up with.
The result of the risk assessment gives you the tools you need to figure out what’s important to your company. Do we need to buy more insurance? Do we implement better security controls? Do we just accept the risk?
Once you have figured out what your risk appetite is you will be better equipped to start evaluating your vendors. There are lots of standards, tools, products, etc. out there such as:
I chose to go the template route because it is cheaper, flexible, easy to start with, and is better received by the vendors. I may switch to a hosted product in the future, but to be honest I have not interacted with any on the vendor side that I really have felt I want to subject our vendors to.
Each template has their pros and cons, so we came up with our own template which I jokingly call “VSA-Lite”. We took the Vendor Security Alliance (VSA) template and whittled it down to what we really care about. This ends up having around 150 questions, where most have simple answers of ‘Yes/No/Not Applicable’. With our version of the template, many vendors are able to finish the review in less than an hour.
My main motivation for choosing the VSA over the others was that their approach was a more modern risk-based approach that better reflects the security posture of the vendor and not just compliance checkboxes.
Where are we today?
I still consider our vendor security assessment process to be in development and will likely still require a few years to reach a point where I’m completely happy with it. We are continuously iterating on the process, asking new questions as they become relevant (such as GDPR compliance), and changing up existing ones to better drill down into the information we’re looking for.