CISO Forum Summary – Best Practices around 3rd Party Security Assessments

Every month, Fortify Experts holds CISO Round Tables discussing the latest trends and topics.  Recently, we discussed the best practices around 3rd Party Security Assessments.

From the security leaders who were present in the forum, here are some suggestions for best practices for assessing vendors:

  1. Work with Business Executives to establish a tier for each vendor understand where each vendor is tiered:
    • Tier 1: Critical Vendors:  Has access to PII and are connected to systems (ex. HR SaaS providers, Payroll firms)
    • Tier 2: Vendors who are connected or have access to PII (ex. Digitally connected supply chain).
    • Tier 3:  Vendors who are critical to the business but not directly connected (ex. components for your manufacturing of other products)
    • Tier 4: Lowest Priority: Non-critical, non-connected vendors. (ex. office supply or coffee vendors.)
  2. Determine level of scrutiny for each tier such as below:
    • Tier 1:  These vendors get the most scrutiny. Many security questions (could be 50-100), involves risk assessments, and a personal follow-up on their answers.
    • Tier 2: These vendors are asked fewer questions (could be 10-15 questions) but still get a personal follow-up on answers as a validation step.
    • Tier 3: Incorporate security clauses into contracts but no assessment required.
    • Tier 4: Don’t review


Other Best p


Having a process through the whole assessment. Wanted every vendor to have the same experience. Valuable to see side to side comparisons. Took that to leadership who were then tasked with giving us target which led to establishing budgets to achieve those targets.

Assess business owners to

Responding to 3rd party questions:
Invite them to review
3rd party assessment providers – Bitsight, SecurityScorecard – If others are
“Drive by appraisal of your house”
Don’t have much useful data.

Questions are so broad. Often they don’t ask the right questions.
Lockton is releasing a new 39 page assessment.
Adding the percentage of times it was done.

Vendor security questionnaire using an automated 3rd party tool to reduce the workload and help to focus only scoring and high priority issues. How often do you conduct the assessment?
Initial contract
Once a year
If they are breached.

Only a point in time (a check box). Issue with chasing them down to do it. Or who is entering the data which could impact the validity of the assessment. Quality of results were low at best, but it was a check box.

Risk Recon – public facing – what is exposed on the internet but does not grasp what is exposed in the infrastructure.

Companies with strong security processes are usually more apt to share their security protocols. Those who are immature, often delay their response.

If a firm is going to do business with a company no matter what the assessment says, then completing the assessment is mute.

If risky, the business own gets a letter declaring there is a risk.

VSA (Vendor Security Assessment) – Approached the contract teams which included a Security Addendum.
Mandatory Annual Security Assessment
48 Hours notification of breach.
Mandatory to provide a contact name for their incident response.
Protect data & provide evidence of that.

Transfers the liability from Security to Legal. If the vendor is immature and redlines the security addendum in the contract, then the general counsel has to get involved and would be responsible for accepting the risk on behalf of the business.

That helps raise the risks to the executive team. VSA then can be leveraged for cyber insurance, or compliance with GDPR, SOX or HIPAA.

Enables the legal team to be the enforcement arm of your vendor assessments.

Security is not the “risk assessment’ group. That’s up to Risk or Legal. SaaS providers

Is a SOC 2 report enough to give a firm a pass in lieu of additional due diligence. As long as it is a SOC 2 Type II.

For International vendors, evidence of security is very limited so look for any type of evidence to help show you took the best possible path for due diligence to protect yourself in case an event occurs. Ultimately, would a jury of your peers agree that you did the best you could do in that situation.

Regulators are open to the idea of running this through a Risk Management Framework and are you willing to accept that amount of risk.

Is it right to ‘hand over all your cyber stuff’ Send me all your policies:
Do you have anyone qualified to read and understand what we give you.
How are you securing our data and roadmap to our security?

Written summary of policies,
Long virtual sessions.
Old school to do on-site assessments – Highly regulated industry.

CISO actions are tied to Business Development
Go get a SOC 2 Type II assessment.

GDPR is a legal issues. Chief Privacy Officer is responsible for data loss.

CISO’s job is to prevent and respond to breaches.

To protect firms from SaaS providers who might go insolvent. Contracts require them would have to escrow code and data incase

Are you posted all your Security Policies to your intranet? Do they show proprietary information


3rd Party Evaluation Services:

  • Bitsight  – Active 3rd party monitoring – Bitsight might be antagonistic because there are errors which need to be resolved.
  • Security ScoreCard –

Technologies that may help:

Migrating from ServiceNow to ProcessUnity

In Summary:

Thanks to the input of the security leaders who joined our CISO Forum which provided such insightful advice to on how to improve your security program.

If you are a security leader and would like to participate in our monthly CISO Forums where we discuss valuable and actionable information as well as best practices and challenges, please register here.

About Tim Howard

Tim Howard is the founder of 4 technology firms including Fortify Experts which helps companies hire the Best Cyber Talent on the Planet as well as provides expert consulting and NIST based security assessments

In addition, he has a passion for helping CISO’s develop Higher Performing Teams through coaching, by creating interactive CISO Forums and by helping them create highly-effective team cultures.

With each new hire, his firm produces an Employee Operating Manual to help clients understand how to motivate and maximize productivity while meeting the needs of each employee.

He also teamed up with Lyndrel Downs to launch Cybersecurity DIVAS to help promote the most influential women in cybersecurity and provide a mentoring program to help encourage and support more diversity within the industry.

Tim is married with 3 kids. He is an avid runner and has completed two IRONMAN Texas events. He is also a graduate of Texas A&M University. 

Invite Tim to connect: