A Venus fly trap is a flower that catches insects as its prey using a terminal structure that is triggered when an insect touches the tiny hairs on the leaves a couple of times in a short period of time. Similar to the Venus fly trap, vendors who receive security questionnaires are now prey to a trap of its own “terminal structure” called network effects.
The following quote from a press release by a company that provides third party risk services, aka helps customers conduct security reviews on vendors, demonstrates my point: “[Customers] can invite their vendors to participate [in a security questionnaire], at no cost to the vendor [deleted]. By completing an assessment, the vendor will become a part of the XXXX network. This lets them easily map their answers to assessments from other [customers in the platform], without having to start from scratch for similar questions. The [customers] and vendors together create a network effect that improves transparency and efficiency for all participants.” [redacted to maintain anonymity]
Let’s break this quote down one by one.
First, customers need help conducting security reviews. These days, there are many laws and regulations that require vendor due diligence. So how do customers comply? They find an online platform to help them. That online platform is provided by a third party. That is problem number 1.
So, the vendor receives a security questionnaire from a prospective customer when the customer invites that vendor to set up an account in online platform (hosted by a third party). So, in this scenario, online platform is free to the vendor so the vendor can complete the security questionnaire. Not only can the vendor access the questionnaire for free, the vendor can enter all of its data straight into the online platform, again, for free! So simple and great, right?
Well, hold on a second. The vendor feels pressure to skip its own security review of that online platform because they want to make the sale. Talk about an imbalance of power. But what happens to vendor's data? Well, the press release says by “completing an assessment, the vendor will become a part of their network.”
The question is, should the vendor trust the online platform? From the online platform's perspective, this is great because they sort of trapped the vendor into becoming a customer of the network without any sales or marketing effort. The vendor signed up because they had to in order to get the customer's business.
Not only is it a problem that the vendor was unable to perform a security review of that online provider, but now it's data is living with that online provider and it's being shared. For the first part, it could be a trick by the customer. The customer might be wondering if you ask them about the security of the online portal to see if you do in fact follow your own stated process of vendor management. That is almost evil.
Now, it is unlikely that the customer is being this tricky with the vendor, but there is nothing to stop them from evaluating vendor this way.
This inability to conduct a security review of the online portal naturally leads to the question of whether that data is secure. Can the vendor get their data back out? Can they ask that it be deleted? Who owns the answers to the security questionnaire? The vendor, the customer or the online portal?
These are serious questions with serious consequences. if the online portal is hacked, it could expose stated vulnerabilities with the vendors now locked into their network effects. In addition, as a vendor, you need to have a record of all security questionnaires. What if you lose access? Whose loyalty does the online portal have?
Ah, now that is the key question because their loyalty is to their paying customer, i.e. the vendor's customer who asked them to use the online portal in the first place.
In my experience, these portals are a terrible experience for the vendor.
Most vendor management tools are built for the side of the table conducting the due diligence, not for vendors responding to due diligence. There are a lot of potential downsides to vendors for products built this way because they were not built with the vendor’s interests in mind. It can be a trap and one that can actually cost the vendor a lot of money. Before you get stuck in this Venus fly trap, first check with the customer if you can avoid using the online portal altogether and, if not, make sure the online portal allows you to download the questionnaire before you start answering. In my experience, once the questionnaire is complete, the online portal has no interest in responding to you. Finally, always try to respond to the questionnaire outside of the portal. You don't know how much of your correspondence within the portal is being saved.
Reach out to ClearOPS to find out how we help you solve the online portal problem.