Below is a list of common objections from vendors. Understanding how to respond to these objections can be the difference between success and a VRM program that never gets off the ground.
Do we really have to do this?
RESPONSE: Yes. Vendor Risk Management is important to <Organization Name>. We have scoped our relationship with <Vendor Name> and determined that the nature of your project/service requires that we have a thorough understanding of the strength of your information security program. This is necessary for ensuring that our business relationship is not the source of a breach in information security for <Vendor Name>, <Organization Name>, our customers and stakeholders.
(Optional) Our regulatory requirements demand that we assess our vendors in this way.
EXPLANATION: Vendors who ask this question are most likely new to the concept of VRM. Regulated industries were the first to be required to do VRM so it would be unlikely for them to puzzled by the requirement in general. Take the opportunity to preach the benefits of S2VENDOR, mainly that the vendor will only do one comprehensive assessment and will receive the Full Report in return.
Inside SecurityStudio, they can use the assessment they complete for you to meet other vendor requests. Outside SecurityStudio, they may be able to parlay their Full Report into a replacement for other, lesser vendor risk questionnaires. Our Full Report tends to be much more comprehensive than other risk questionnaires.
Can't I just give you my SOC2 or other documentation?
RESPONSE: <Organization Name> will accept all documentation you care to submit. We will review the documentation and decide if everything we need is included. If we find that it is too narrow in scope or doesn't meet our requirements, you will still be expected to create your account in SecurityStudio and complete our assessment. Please note that our assessment only needs to be completed one time. If you choose to complete the assessment, each re-evaluation will require a cursory update. This may, ultimately, be more convenient for you.
EXPLANATION: Vendors with well setup security programs tend to have audits results, compliance documentation, and other resources that they can share with you. This is actually a good thing. The S2Score Assessment used within S2VENDOR is a well-built assessment that we stand behind 100%. However, we acknowledge that vendor risk can be assessed using other means. While considering whether to accept this documentation in lieu of the assessment, consider the following:
How up to date is the information?
What is the scope?
Does it adequately demonstrate that the vendor is doing everything they should?
Additionally, assessment alternatives cannot be mapped back into S2VENDOR. If you choose to accept this documentation, you will be forgoing the score produced by the S2Score Assessment. You will, however, have all of your documentation stored in one place along with your decision notes. This is invaluable.
It's too long.
RESPONSE: The length of the assessment is appropriate to the project/service type that <Vendor Name> is performing for <Organization Name>. The assessment format has been carefully designed so that each of the statements is clear and straightforward, inquiring into only one control at a time. There are no laborious text-style responses required and the True, False, NA format allows respondents to move through the assessment quickly.
โ
Consider adding subject matter experts to work on the assessment collaboratively, and take advantage of the allotted time frame <30 days> to break the assessment into as many working sessions as is required.
Please keep in mind that you will only have to compete the assessment one time for <Organization Name>. Going forward, you will only be prompted to update according to our re-evaluation schedule.
EXPLANATION: The assessment needs to be thorough enough to capture the actual risk the vendor bears you. Any short cuts taken will leave a hole in your defensibility as you are choosing to forgo insight into their security program for expediency. Making this trade-off ultimately puts you in a bad position.
Instead, recall that the vendor is getting the assessment appropriate to the amount of risk their project/service exposes you to. This was determined in the classification step.
Convenience to the vendor does deserve some consideration but this requires that we look beyond the assessment's length. The S2Score Assessment we use inside S2Vendor is comprehensive, covering the vendor's entire information security program. Once completed once, it can be re-used over and over, only requiring quick updates when re-evaluation is required. The completed assessment belongs to the vendor and they can use it to satisfy a variety of requirements:
Vendors can easily submit re-evaluation requests from you in just a few minutes
Vendors can share the assessment to meet the requests of other SecurityStudio customers
Vendors can convert their completed assessment into our S2Org module where they can immediately enjoy the reporting and roadmapping features
If you feel strongly that vendor participation requires an assessment of shorter length, you have the option of building your own classification for separating vendors into low, medium, and high impact levels. Perhaps for your business case, it makes sense to create a wider medium classification so that more of your vendors fit this criteria and receive the shorter, medium assessment. This is a better alternative than abandoning the assessment methodology altogether. Even better, you can adjust your impact levels in the future and any vendors transitioning from medium to high will only have to complete the difference in questions between the two assessment levels.
Some of these questions don't pertain to us
RESPONSE: Absolutely. The assessment type is determined by the project/service that <Vendor Name> performs for <Organization Name>. This doesn't mean that every question will be pertinent. For this reason, the assessment response options include an NA option that can be applied on a question or section level. Please feel free to exercise this option. Just note that your assessment will be reviewed and if <Organization Name> doesn't agree with your NA responses, this could require a follow-up process. We recommend making use of the comment section to indicate why a particular question or section is NA. This may help you avoid further questioning.
EXPLANATION: Everything comes back to the classification step. Recall that the vendor is getting the assessment appropriate to the amount of risk their project/service exposes your organization to.
The assessment is built to be applied systematically so it would be very inefficient for it to be too narrow or specific in scope. Instead, encourage vendors to make use of the score neutral NA option at either the question or section level. We advise you to pair this option with an warning about the consequences of NA abuse.
Additionally, you can also build out various assessment templates for certain types. Assessment templates are copies of our medium or high assessment that you can pick up, rename, and mark NA either questions or whole sections. Basically, you are pre-marking questions or sections NA so that when applied, the vendor will encounter an assessment partially done with the NAs called out. This helps narrow the scope without affecting the integrity of the question set.
EXAMPLE: A company works with a lot of single person sub-contractors. They have heard repeatedly that some questions or sections are not applicable. They can use this feedback to create an assessment template for sub-contractors. Certain sections like "Segregation of Duties" and "Screenings for Employees" would be pre-marked NA so that sub-contractors coming in don't have to answer sections that don't apply to them.
We prefer not to create an account. Can we get a hard copy?
RESPONSE: We would highly recommend that you take advantage of the benefits of completing the assessment inside the platform:
Easily updating answers in subsequent evaluations
Sharing your assessment to meet other vendor requests
Using the built-in reporting and roadmapping
We can give you a hard copy of the assessment but once completed, this cannot be ported inside. It's also worth mentioning that sharing this type of sensitive information in hard format via unsecured email is very risky. Collecting responses on a secure site with the proper precautions in place (multi factor authentication) is much more secure for all parties involved.
EXPLANATION: If at all possible, push the vendor to complete the assessment inside the platform. It may feel easier to accept a hard copy of the assessment but this is inadvisable for a couple of reasons.
First, promoting the distribution of multiple hard copies via unsecured email is just bad information security. The more copies that exist and the more people who touch this information, the more likely an adverse event will occur.
Second, allowing them to complete the assessment manually forces you to accept it manually. You can no longer take advantage of our automatic reminders, answer tracking, and scoring. Unfortunately, if we don't capture their responses inside the assessment space, no score will be produced for this vendor. You can attach their responses in the document library for reference but you will be forgoing the scores, maturity modeling, charting, and reports that are produced from a completed assessment.
Finally, you've lost your efficiencies going forward. Next year will require the same effort from the vendor and you. Even worse, you aren't getting to take advantage of the information you've collected. While you are checking a box in collecting it, you cannot easily process it to make informed decisions.
SIDE NOTE: Sometimes the vendor is asking for a hard copy so that they can collaborate with internal teams. In this case, it is up to you to decide if you will give them a hard copy. You might take the opportunity to let them know that they can easily add team members and work collaboratively inside S2VENDOR.
We don't share this type of information without an NDA
RESPONSE: Not a problem. SecurityStudio can easily accommodate that request. Please pass along any such requests to support@securitystudio.com. We can use the vendor's NDA or supply one of our own if necessary.
EXPLANATION: We like these vendors. By asking about us, they've demonstrated that they are paying attention to information security.
For these vendors, we are always happy to send our own assessment results or security due diligence packet.