Third-party security vetting: Do it before you sign a contract

If you’re talking about stopping security risks from an outside vendor already on-board, Jerry Archer says, “You’ve already failed.” Chief security officer for Sallie Mae, Archer contends that risk mitigation should begin before your company closes the deal. That’s why his team has a go or no-go vote for any vendor Sallie Mae brings on. That’s not restricted to vendors IT typically oversees, like authentication tech or API gateway services. Not a single tool is onboarded by any department without security’s approval.

With more than 200 vendors total, that task isn’t easy. Archer says companies approach HR or another department, showing them “the shiny new gadget. They need it. They must have it.” The team that will use the software isn’t thinking about security, just functionality. Archer says they tell IT, “‘We can’t succeed without it.’ We all know that in our hearts that’s not necessarily true, but the fact is, people get emotionally tied to stuff and politically tied to it.”

The result is an inevitable security risk you can’t control: If you aren’t involved in decision-making from day one, the momentum to buy will take over, leaving your department with the damage control. “You have to find a way to be out in front of the problem,” he adds, “for you to fix it or stop the process for that vendor right away before it gets too ingrained because the emotions begin to play.”

How to get in front of security vetting

Archer contends relationships are key. “Security has to be able to say, ‘We’re not going to do business with that vendor,’” he says. To enforce a policy like that, the c-suite must take security seriously. If there’s not a CSO to represent you, talk to the CEO yourself. “If you can’t get through the front door, maybe you get through the back door,” he recommends. Either way, he adds, “Establish those relationships.”

Then grow relationships with the actual prospective vendors. At Sallie Mae, this starts with a security best practices questionnaire included in all RFIs. Archer’s team divided vendors into two groups — critical and regular — by the type of data they’ll access. For prospective critical vendors, there are around 250 questions. Regular vendors get shorter, industry-specific versions of the questionnaire. Most questions for both groups are primarily yes or no: “Are you SOC 1 and SOC 2 compliant?”, for example. The RFI is also an opportunity for prospective vendors to get to know you. In addition to adding questions, Sallie Mae outlines security expectations.

Once a vendor has passed the RFI stage, the real courtship begins. “I need to know their security teams,” Archer says. “I need to know if I can count on them. I need to know their expertise.” When that expertise is lacking, but “the business really wants to do work with a particular vendor,” he adds, “we actually send some of our subject matter experts to work with their folks in order to bring them up to a level that we deem appropriate.”

From the outside, this might seem a little extreme, but Archer says, “You need to be in a position from a security perspective to work with the business to decide if a vendor that they want to use is allowable in your environment.”

Good security process documentation is key

While vetting a new provider, Archer says Sallie Mae isn’t looking to poke holes in anyone’s system: “We’ll ask for a screenshot of this, that, or the other.” For example, the company asks for penetration tests, but Archer explains, “I don’t necessarily need to know their detailed pentest results. I want to see the executive summary from their latest pentest. I want to know how many critical highs and lows, if they have findings in their pentest. We want to see a remediation timeline.”

The key, he continues, is to get “a level of assurance that they have documentation and that they have people that can speak to that documentation. Having a piece of paper [explaining security procedures] is insufficient. It’s necessary, but insufficient. Somebody has to be able to sit down across the table from you and tell you what that piece of paper means.”

Talk directly to your partners’ security teams

For this, he adds, “Security needs to talk to security,” not the sales staff pushing product, not the lawyers putting so many disclaimers on everything you can’t tell what a vendor’s real processes are. “Figure out how to cut that path directly to the security team,” he says.

Use the conversation as an opportunity to outline what will happen if there is a breach. By this point, the relationship should already be somewhat serious, with the vendor and your company starting to outline a service-level agreement (SLA). Sallie Mae has eight different SLA security amendments, used for different service types. Expectations include an annual security review, real-time assessments, how data and backups will be destroyed at the close of contract, and a clearly-defined process for alerting Sallie Mae of material change.

Make sure their change management process includes partners

Archer cautions that vendors sometimes “forget to tell you that they did something. They’ll forget to tell you they moved to the public cloud. They’ll forget to tell you that they turned off multi-factor authentication.” Usually, he continues, that’s because “their change management process does not envision reaching out to partners and giving partners notice of material change.” Outlining a process in the SLA makes it easier for contracted vendors to share when something like this happens.

Of course, like human relationships, business partnerships sometimes fall apart, no matter how well you know someone before commitment. A breach can occur even when security plays a role in purchasing. Whether you were involved or not, Archer says, “You’re going to, at some point, have to stand up in front of your board of directors, in front of the news media [and say], ‘We did our due diligence. We looked at the security systems. We believed they were correct. We monitor them all appropriately and something bad happened.’” If you weren’t involved, you don’t get to say that. If you were, Archer adds, “At least you have a leg to stand on.”