Security – Has Your Vendor Been Tested?

By Brenda Ferraro posted 04-06-2020 08:18


We recently sat down with Brenda Ferraro, the VP of third-party risk at Prevalent, and asked her about the state of vendor security. Brenda is an expert in this space, having built and managed third-party risk management programs at companies such as Aetna, PayPal and Charles Schwab. As well, Brenda is the executive sponsor of the Legal Vendor Network, the legal industry’s preferred third-party risk management platform, which is hosted by Prevalent. What follows is a summary of that conversation, but please be sure listen to the full podcast for all of Brenda’s expert insights (especially the “Marsha, Marsha, Marsha” bit – you won’t want to miss that!).

What types of standard security certifications are typically asked for by clients?

Customers don’t always think about certifications right away – instead, they think about key controls and what’s required to meet them. So I look at controls that are common to most companies in that way. What I’m seeing especially is in IT-related data sharing, clients want to see where the data flows. So, they’re supplementing their standard questionnaire with insights into how the data is flowing. This isn’t really surprising, after all, as there is this huge momentum toward data protection and privacy which you’ll read more about a little later in this blog.

Other types of certifications I’m hearing from customers include:

  • SOC 2 Type 2 – This is helpful in that when that report is provided, not only does it show whether a security posture in place but also provides opinions on what to remediate.
  • SCA – Provided by the Shared Assessments organization, this certification provides a thumbs-up or thumbs-down approach showing whether a control is in place or not.
  • ISO certification – Always at the top of everyone’s lists as this is a truly globally understood certification.
  • Pen Tests – Customers want to ensure that they are performing regular penetration testing for vulnerabilities. This is especially important for scanning software code in web development use cases.
  • PCI – Very common. This one has been around a while now and ensures you have the right due diligence in place as it pertains to how you manage cardholder data.
  • Incident response and change management processes – Customers want to know that the vendors they do business with have the proper incident response plans in place to handle adverse situations or change management processes so that anything deployed in their environment has been properly tested to ensure it doesn’t create downstream complications.

Across the board, I would categorize these as: Trust > Verify > Mitigate. Or more plainly, can you demonstrate a control, can I monitor for the presence of that control, and can you mitigate any findings based on results.

Are there times when you have to meet the clients’ clients?

Absolutely. In fact, 4th, 5th and 6th parties are coming into play even more lately. If you don’t follow the cyber chain then you don’t know where your organization’s data is stored. To describe this I like the “castle” analogy: You don’t know what’s going on in other peoples’ castles… when you hand off your data. You have to do proper due diligence on where data is spreading to, who handles it, and how it’s processed, hosted or stored.

One way to view those extended relationships is through what I call a bubble diagram – it basically shows the interconnections between vendors, 4th parties and others. A data chain if you will. It should where the data is flowing from so you can stop the bleeding if there’s a problem. Such a representation will also show what kinds of information they are hosting, processing or storing, whether it’s onsite or offsite. With data, you have to follow the flow.

Security and privacy. Privacy and security. The two are intertwined topics. How are we applying it in customer requests?

You know the 70’s show The Brady Bunch? Remember that famous scene when the middle sister Jan is tired of all the attention the older sister Marsha gets? What is the famous quote? “Marsha, Marsha, Marsha!” Well, in security today, it’s, “Privacy, privacy, privacy!”

Historically, IT, procurement, risk and security teams were all siloed. But, data privacy has been the great unifier for these teams. These interconnections are now happening with such a big focus on data privacy. Here in the States, there is the potential to have 50+ laws like GDPR. In fact we’ve already seen it with NY SHIELD, CCPA and the enhancement released to ISO 27001 and 27002 to address risks in cyber and data privacy.

Hopefully at some point there will be a federal regulatory push like what NIST did with the Cybersecurity Framework – but for data privacy. Like what GDPR did for EU, but for the US. Otherwise, clients will be forced to answer separate questionnaires for every state they do business in!

My advice: Start by addressing CCPA. As long as your doing that, NY SHIELD and GDPR it will help and apply for the future.

Describe how do you prepare yourself for security requests.

There are lots of different ways to look at it, but if you are collecting responses to questionnaires – for example the standard SIG or a proprietary one – try to get a more economical approach by having everyone fill out the same questionnaire. Unfortunately, there are so many formats (like Excel) and different questionnaires out there – and many of them are great but having a standardized one helps you be more economical in your assessments and helps you compare answers more effectively.

Next, fill out the standards you know about. If you’re using SIG, then do the SIG. If you’re using CAIQ from the Cloud Security Alliance, then use that one. Doing all of them will get your toward a standard content questionnaire.

What I’m seeing is that most networks are adopting standards and mapping them to compliance regulatory requirements. For example using a standard questionnaire and mapping those answers back to the requirements of PCI or CCPA even if you didn’t use a specific PCI or CCPA questionnaire. That “automagic” mapping has tremendous value in an economic approach. Ask once, answer many. See what maps to what controls.

Let me expand on the network concept. Law firms and their vendors can all collaborate on risk reduction in a portal. The questionnaire will be there. The responses will be there. Then it’s easy for the client to do proper due diligence for automated response. If a remediation is accomplished, it should get to the customer, so they know it was addressed.

The last piece is validation, but onsite validations are a thing of the past. Instead, what I’m seeing is once a vendor applies key controls to risks, threat indicators can be used to verify it. Ultimately, this will allow you to track to closure at the vendor and portfolio level and help you show the board where your vulnerabilities are. That’s what we seek to achieve with the Legal Vendor Network.

Final thoughts?

Honestly the biggest risk out there right now is not knowing what you don’t know. And by that I mean that clients don’t know their vendor universe. Prevalent has a way of helping clients understand what proper due diligence is required prioritizing who to assess through a programmatic maturity assessment process. It’s pretty simple to get started and it provides a roadmap on where to go next.

For more on Prevalent, visit