Vendors, be wary of where you send your data

Caroline McCaffery
August 11, 2021

A Venus fly trap is a flower that catches insects as its prey using a terminal structure that is triggered when an insect touches the tiny hairs on the leaves a couple of times in a short period of time. Similar to the Venus fly trap, vendors who receive security questionnaires are now prey to a trap of its own “terminal structure” called network effects.

The following quote from a press release by a company that provides third party risk services, aka helps customers conduct security reviews on vendors, demonstrates my point: “[Buyers] can invite their vendors to participate [in a security questionnaire], at no cost to the vendor [deleted]. By completing an assessment, the vendor will become a part of the XXXX network. This lets them easily map their answers to assessments from other [Buyers in the platform], without having to start from scratch for similar questions. The [buyers] and vendors together create a network effect that improves transparency and efficiency for all participants.” [redacted to maintain anonymity]

Let’s break this quote down one by one.

First, buyers need help conducting security reviews. These days, there are many laws and regulations that require vendor due diligence. So how do they do it? They find a third party service to help them. That third party service will invite vendors into their platform so they can capture them for the buyer and store the vendor's information.

So, the vendor receives a security questionnaire from a prospective buyer. The buyer invites the vendor to set up an account in that third party service. So, in this scenario, XXXX is letting the vendor access the buyer's questionnaire for free on the XXXX platform. Not only can the vendor access the questionnaire for free, the vendor can enter all of its data straight into XXXX’s platform, again, for free! So simple and great, right?

Well, hold on a second. The vendor feels pressure to skip its own security review of XXXX because they want to make the sale. Enter in all their diagrams and answers to security questions? Sure, if it means a sale. But what happens to vendor's data? Well, the press release says by “completing an assessment, the vendor will become a part of the XXXX network.”

The question is, should the vendor trust XXXX? From XXXX's perspective, this is great because they sort of trapped the vendor into becoming a customer of the network without any sales or marketing effort. The vendor signed up because they had to in order to get the buyer's business!

But there are many problems here for the vendor to consider. To win the buyer's business, the vendor is bypassing all of its own third party risk management processes to sign up to XXXX. It's possible that the buyer could be testing vendor. Did the vendor push back on using XXXX without conducting a security review? If so, doesn't that prove that the vendor doesn't have good security practices of its own vendors?

It is unlikely that the buyer is being this tricky, but there is nothing to stop them from evaluating vendor this way.

So now vendor has stored its responses to a security questionnaire in XXXX. Well they certainly don't want the vendor to churn, so XXXX argues that there is a large benefit. The benefit is letting vendor map the answers they provided to buyer’s questionnaire to any other questionnaire in the XXXX ecosystem. The argument is that this creates some sort of beneficial network effect, specifically transparency and efficiency for all.

But does it create a network effect that benefits vendor?

Who else is in XXXX’s ecosystem? How does vendor keep its answers up to date? Can vendor exclusively use XXXX or does it have to wait for more potential buyers to enter the network? Does XXXX provide the vendor with useful tips and tricks on how to improve its security and pass these security reviews? Where is the transparency?

I refer back to the ultimate concern, which is can the vendor get their answers back out?

Most vendor management tools are built for buyers, not for vendors. There are a lot of potential downsides to vendors for products built this way because they were not built with the vendor’s interests in mind. It can be a trap and one that can actually cost the vendor a lot of money. Before you get stuck in this Venus fly trap, ask if you can download the questionnaire and keep it in your own systems, or better yet, choose ClearOPS, because our platform is built for vendors.