Third-party security vetting: Do it before you sign a contract

Security needs to ensure that all vendors and partners, even those not controlled by IT, meet the organization's security standards.

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

If you’re talking about stopping security risks from an outside vendor already on-board, Jerry Archer says, “You've already failed.” Chief security officer for Fannie Mae, Archer contends that risk mitigation should begin before your company closes the deal. That’s why his team has a go or no-go vote for any vendor Fannie Mae brings on. That’s not restricted to vendors IT typically oversees, like authentication tech or API gateway services. Not a single tool is onboarded by any department without security’s approval.

With more than 200 vendors total, that task isn’t easy. Archer says companies approach HR or another department, showing them “the shiny new gadget. They need it. They must have it.” The team that will use the software isn’t thinking about security, just functionality. Archer says they tell IT, “‘We can't succeed without it.’ We all know that in our hearts that's not necessarily true, but the fact is, people get emotionally tied to stuff and politically tied to it.”

The result is an inevitable security risk you can’t control: If you aren’t involved in decision-making from day one, the momentum to buy will take over, leaving your department with the damage control. “You have to find a way to be out in front of the problem,” he adds, “for you to fix it or stop the process for that vendor right away before it gets too ingrained because the emotions begin to play.”

How to get in front of security vetting

Archer contends relationships are key. “Security has to be able to say, ‘We're not going to do business with that vendor,’” he says. To enforce a policy like that, the c-suite must take security seriously. If there’s not a CSO to represent you, talk to the CEO yourself. “If you can't get through the front door, maybe you get through the back door,” he recommends. Either way, he adds, “Establish those relationships.”

Then grow relationships with the actual prospective vendors. At Fannie Mae, this starts with a security best practices questionnaire included in all RFIs. Archer’s team divided vendors into two groups — critical and regular — by the type of data they’ll access. For prospective critical vendors, there are around 250 questions. Regular vendors get shorter, industry-specific versions of the questionnaire. Most questions for both groups are primarily yes or no: “Are you SOC 1 and SOC 2 compliant?”, for example. The RFI is also an opportunity for prospective vendors to get to know you. In addition to adding questions, Fannie Mae outlines security expectations.

To continue reading this article register now