Written by staff writer.
The traditional supplier cyber assurance questionnaires are becoming obsolete and meaningless, according to Peter Watson, principal sales engineer at cybersecurity company Recorded Future.
Speaking during a September 13 information session on vendor and supplier risks, Watson said such questionnaires became outdated almost as soon as they were completed. Despite this, many entities and government agencies still require suppliers and potential suppliers to complete a cyber assurance questionnaire before signing any contract. The questionnaire is designed to demonstrate compliance with the cyber security controls many contracts require and also allegedly help the customer determine a vendor’s cyber risk profile.
“Questionnaires don’t speak to the current risk,” said Watson. “At best, they are a point-in-time assessment of a company as reported by them to you.”
Most Australian state and federal government departments and agencies currently require current and potential vendors to submit a cyber assurance questionnaire-type document before they will formalise any contracts.
Recorded Future Chief Information Security Officer Jason Steer noted that he recently completed one questionnaire that contained over 300 questions. Besides saying it was an awful lot of work, he suggests almost all of the supplied answers never get any scrutiny other than a yes or no. “There’s probably only 10 or 20 questions that you actually need to address that are meaningful, and you need to talk about.”
Steer says that across all industries there is a marked increase in vendor supply chain cyber risk resulting from the digitalisation of business processes. “For businesses now, supply chain risk isn’t just a small threat anymore, it is becoming the biggest risk to businesses.” He argues that entities need real-time risk data as part of their vendor selection and vendor management processes.
Brett Helm, co-founder of US-based DragonflyCyber agrees, noting that most current cyber assurance solutions are based on paperwork. He says the problem with that approach is that it doesn’t scale, is often inaccurate, and is “pretty much useless.” He says the use of questionnaires to gather data on cyber compliance is fundamentally flawed, but adds that an entire ecosystem has developed to present that data in a professional manner and make it look legitimate.
Watson argues a better approach is for the customer to scrutinise the potential vendor. He says when his company runs the cyber ruler over a potential supplier, they seek a dynamic view of their cyber threat profile and have 44 different ways to measure risk.
Steer suggests looking at highlighted risk rules before taking a new supplier on board and to ask them focused questions. “We look at things like ISO 27/001 (an international information security standard) certification documents. We look at SOC 3 documents, which many vendors make available, and we use threat intelligence data to get into the details.”
He says customers need to be proactive and monitor the real-time threat intelligence data on vendors and not rely on them to tell you when something goes wrong. Despite government’s increasingly putting mandatory disclosure laws in place, Steer says by the time a customer is notified of a breach, often “the proverbial horses have already bolted.”