The Best Online Platform to Respond to Security Questionnaires

Sleek v2.0 public release is here

Lorem ipsum dolor sit amet, consectetur adipiscing elit lobortis arcu enim urna adipiscing praesent velit viverra sit semper lorem eu cursus vel hendrerit elementum morbi curabitur etiam nibh justo, lorem aliquet donec sed sit mi at ante massa mattis.

Neque sodales ut etiam sit amet nisl purus non tellus orci ac auctor
Adipiscing elit ut aliquam purus sit amet viverra suspendisse potent i
Mauris commodo quis imperdiet massa tincidunt nunc pulvinar
Adipiscing elit ut aliquam purus sit amet viverra suspendisse potenti

What has changed in our latest release?

Lorem ipsum dolor sit amet, consectetur adipiscing elit ut aliquam, purus sit amet luctus venenatis, lectus magna fringilla urna, porttitor rhoncus dolor purus non enim praesent elementum facilisis leo, vel fringilla est ullamcorper eget nulla facilisi etiam dignissim diam quis enim lobortis scelerisque fermentum dui faucibus in ornare quam viverra orci sagittis eu volutpat odio facilisis mauris sit amet massa vitae tortor condimentum lacinia quis vel eros donec ac odio tempor orci dapibus ultrices in iaculis nunc sed augue lacus

All new features available for all public channel users

At risus viverra adipiscing at in tellus integer feugiat nisl pretium fusce id velit ut tortor sagittis orci a scelerisque purus semper eget at lectus urna duis convallis. porta nibh venenatis cras sed felis eget neque laoreet libero id faucibus nisl donec pretium vulputate sapien nec sagittis aliquam nunc lobortis mattis aliquam faucibus purus in.

Neque sodales ut etiam sit amet nisl purus non tellus orci ac auctor
Adipiscing elit ut aliquam purus sit amet viverra suspendisse potenti
Mauris commodo quis imperdiet massa tincidunt nunc pulvinar
Adipiscing elit ut aliquam purus sit amet viverra suspendisse potenti

Coding collaboration with over 200 users at once

Nisi quis eleifend quam adipiscing vitae aliquet bibendum enim facilisis gravida neque. Velit euismod in pellentesque massa placerat volutpat lacus laoreet non curabitur gravida odio aenean sed adipiscing diam donec adipiscing tristique risus. amet est placerat in egestas erat imperdiet sed euismod nisi.

“Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum”

Real-time code save every 0.1 seconds

Eget lorem dolor sed viverra ipsum nunc aliquet bibendum felis donec et odio pellentesque diam volutpat commodo sed egestas aliquam sem fringilla ut morbi tincidunt augue interdum velit euismod eu tincidunt tortor aliquam nulla facilisi aenean sed adipiscing diam donec adipiscing ut lectus arcu bibendum at varius vel pharetra nibh venenatis cras sed felis eget dolor cosnectur drolo.

A Venus fly trap is a flower that catches insects as its prey using a terminal structure that is triggered when an insect touches the tiny hairs on the leaves a couple of times in a short period of time. Similar to the Venus fly trap, vendors who receive security questionnaires are now prey to a trap of its own “terminal structure” called network effects.

The following quote from a press release by a company that provides third party risk services, aka helps customers conduct security reviews on vendors, demonstrates my point: “[Customers] can invite their vendors to participate [in a security questionnaire], at no cost to the vendor [deleted]. By completing an assessment, the vendor will become a part of the XXXX network. This lets them easily map their answers to assessments from other [customers in the platform], without having to start from scratch for similar questions. The [customers] and vendors together create a network effect that improves transparency and efficiency for all participants.” [redacted to maintain anonymity]

Let’s break this quote down one by one.

First, customers need help conducting security reviews. These days, there are many laws and regulations that require vendor due diligence. So how do customers comply? They find an online platform to help them. That online platform is provided by a third party. That is problem number 1.

So, the vendor receives a security questionnaire from a prospective customer when the customer invites that vendor to set up an account in online platform (hosted by a third party). So, in this scenario, online platform is free to the vendor so the vendor can complete the security questionnaire. Not only can the vendor access the questionnaire for free, the vendor can enter all of its data straight into the online platform, again, for free! So simple and great, right?

Well, hold on a second. The vendor feels pressure to skip its own security review of that online platform because they want to make the sale. Talk about an imbalance of power. But what happens to vendor's data? Well, the press release says by “completing an assessment, the vendor will become a part of their network.”

The question is, should the vendor trust the online platform? From the online platform's perspective, this is great because they sort of trapped the vendor into becoming a customer of the network without any sales or marketing effort. The vendor signed up because they had to in order to get the customer's business.

Not only is it a problem that the vendor was unable to perform a security review of that online provider, but now it's data is living with that online provider and it's being shared. For the first part, it could be a trick by the customer. The customer might be wondering if you ask them about the security of the online portal to see if you do in fact follow your own stated process of vendor management. That is almost evil.

Now, it is unlikely that the customer is being this tricky with the vendor, but there is nothing to stop them from evaluating vendor this way.

This inability to conduct a security review of the online portal naturally leads to the question of whether that data is secure. Can the vendor get their data back out? Can they ask that it be deleted? Who owns the answers to the security questionnaire? The vendor, the customer or the online portal?

These are serious questions with serious consequences. if the online portal is hacked, it could expose stated vulnerabilities with the vendors now locked into their network effects. In addition, as a vendor, you need to have a record of all security questionnaires. What if you lose access? Whose loyalty does the online portal have?

Ah, now that is the key question because their loyalty is to their paying customer, i.e. the vendor's customer who asked them to use the online portal in the first place.

In my experience, these portals are a terrible experience for the vendor.

Most vendor management tools are built for the side of the table conducting the due diligence, not for vendors responding to due diligence. There are a lot of potential downsides to vendors for products built this way because they were not built with the vendor’s interests in mind. It can be a trap and one that can actually cost the vendor a lot of money. Before you get stuck in this Venus fly trap, first check with the customer if you can avoid using the online portal altogether and, if not, make sure the online portal allows you to download the questionnaire before you start answering. In my experience, once the questionnaire is complete, the online portal has no interest in responding to you. Finally, always try to respond to the questionnaire outside of the portal. You don't know how much of your correspondence within the portal is being saved.

Reach out to ClearOPS to find out how we help you solve the online portal problem.