How can privacy and security crush third-party vendor reviews together? Top 10 questions answered

Recently, we hosted an IAPP webinar on how privacy and security can leverage each others' shared business goals to conduct third-party vendor reviews. Attendees had questions for panelists Dana Simberkoff, chief risk, privacy, and information security officer at Avepoint, and Ron De Jesus, CPO at Grindr. Below are 10 of those questions, answered. Now go crush those third-party vendor reviews.

1. How do I bring privacy into the actual decision-making process at my org?

It’s essential for you, as a privacy function, to get eyes on what’s happening. To do that effectively, you’ve got to build relationships with the product team. Once you have the visibility you need, build on that by being a good partner to the business. Make sure you know what the business objectives are and that you can articulate the risk and requirements and then balance those with the organization’s practical needs.

You don’t want to come in guns blazing by saying “no” off the bat. Try to understand what folks are trying to achieve and how you can help them meet their goals and stay within legal requirements, both.

And hey, if you hear something that raises your “privacy spidey sense,” toss out, “Let’s explore this more.” If you’re not only visible but also pragmatic, you’ll find you build credibility, and decision-makers will take you seriously.

Takeaway: Build relationships with product for visibility, ask questions to understand what they’re trying to achieve.

2. Can you give some practical advice on how to handle due diligence questionnaires from clients?

There are industry-standard templates (Google and Slack have open-sourced questionnaire’s, for example) or “pay” options that you can use as baseline questionnaires, and then you might tailor them to the needs of the biz. For example, if you’re a web-based company, you might emphasize the questions on data security.

It’s your job to tell the business or your clients, “Hey here’s where this is high-risk, and I don’t think we should move forward, are there other options?”

Takeaway: Find the template that works for you, tailor it to fit your needs

3. How can you get big suppliers to conduct reviews, like insurance companies, AWS, etc?

That’s tougher. If you want to do a security review of an Amazon or Microsoft, they may or may not give you the time of day. But those big companies tend to publicly document a lot of information on their sites about their privacy and security programs. You can search by every certification under the sun.

Many larger organizations understand the importance of doing those reviews and will have whitepapers and canned responses (SOC 2, NIST certs). There’s a lot of self-service docs out there where companies indicate, “Hey, we’re good on privacy and good on security.”

Takeaway: You’d have to be an absolute monster in the space for them to pay attention, don’t waste your time. Find the answers you need in public documentation.

4. I play both inbound and outbound roles on vendor management. Do vendors need a “sherpa” to guide them? Should I play that role?

Why not! It’s going to be different organization to organization. Sometimes the business will want the stakeholder, whomever will work with a vendor, to own this relationship because they have the most contact and credibility, and they’re paying the bill.

But there’s certainly value in having someone from the privacy/security side to help guide them through this process to cut down on the day-to-day work on vendor process.

Takeaway: Yes, if you’re the stakeholder, you should play a sherpa role.

5. Question: How long should my questionnaire be?

It’s subjective and based on your risk appetite. You may have a pre-questionnaire (what is it that you’re actually going to be doing for us?) that leads into various tiers of depth, depending on the service.

Asking if they’re certified to various industry standards and frameworks can cut down on some fact-finding. Those certifications will answer some of your basic questions.

There are great templates in the marketplace, but the questionnaire should diff based on if it’s a vendor providing a very limited transactional service for you vs. someone you’ll have an ongoing relationship with; a vendor that touches customer/employee data, for example. Depending on the vendor, they’re going to have different risk profiles, and you’re going to want different length questionnaires to reflect that. and gonna want diff lengths questionnaires to reflect that.

If you use a one-size-fits-all questionnaire, you’ll find some smaller vendors saying, “We can’t answer this, it’s nonsense.” But you also may not vet thoroughly enough if you’re using a standard template for a large vendor.

Takeaway: The questionnaire’s length will depend on your risk appetite, as well as whether the vendor is certified by various industry standard frameworks.

6. How long should my vetting process take?

The complexity of the purchase will impact how long the onboarding process takes. The goal is to educate the buyer as much as possible ahead of procurement. If the purchaser gets the questionnaire and whatever ISO documentation you may need up front, that cuts down on the back-and-forth you’ll need to do with the vendor.

Takeaway: It depends on how complex the onboarding is, but if you assemble your documentation for the business ahead of time, it can cut down on back-and-forth questions that eat time.

7. Question: How can you ensure your vendors are doing what they said they would?

There’s going to be a measure of trust built into these relationships, and you’re going to need to do periodic reassessments.

You can build provisions in your contract, such as audit rights, that allow you to break the deal if they’re not doing what they said they’d do. Or, that they must pay damages if they’re using data in unauthorized ways.

Vendors need to be able to prove that they’re doing what they say. The role of the privacy officer has changed in recent years: You have to be much more operational. If you have an unenforceable policy: Get rid of it.

Depending on what the vendor’s telling you, you might ask for evidence.

Takeaway: Write in provisions that allow you to ditch the relationship if the vendor violates the data-use terms.

8. Question: How can I document it if my organization takes on risk outside of our risk profile?

Privacy and security are advisors to the business. There are very few times when either team can truly say “no,” unless something is truly illegal. It may just be a very bad decision, and then it’s your job to articulate the potential consequences. But it’s up to the business to decide what the risk level is. It’s the C-suite job’s to present risk to the board, or whoever has to make that critical decision. If you’re helping them navigate through those decisions, you’re doing a good job.

It’s very easy to be on the mountaintop shouting, “This is what you need to do,” but there are a lot of factors going into the business’ decision-making on what that risk tolerance is.

In your standard review process, you’ll flag risks, and you may have some framework for different levels of risk. Then you need to report that to the stakeholder or decision-maker, and attach some controls or safeguards that might help mitigate that risk.

Takeaway: Advise the business on the risk, articulate the potential consequences.

9. Question: How can I gain the tech skills necessary to do my job well?

A lot of times it’s all about how do you build relationships within your organization. There are few things better than finally building those relationships internally, show you’re there for the business.

Find those product managers that will share with you how their products work. Be attentive, ask for help. People will want to explain what they’re doing, because often they’re excited about it and want to share. Once you have that relationship, your advice is taken more seriously down the line.

Takeaway: Build a relationship with your favorite PM.

10. Question: How can I mitigate vendor sprawl?

Realistically, you need a single source of truth, some repository that understands your vendors and how you’re using them, and which will remind you that when a change comes in, understands the vendors you have and how you’re using those vendors will remind you when it’s time to do a check.

It’ll help remind you, “Is there a reason to avoid using this vendor we onboarded? If so, we should deprecate.”

In M&A transactions, you’ll have your own set of vendors that don’t match up with theirs. Part of your initial diligence will require you to work with product, engineering and HR to ask, “How many of these can we integrate?”

Some will be easy to merge, others take some time. And for others, for purely aesthetic reasons sometimes, you don’t want to change, because their identity is tied to your way of doing things, and you want to keep those vendors.

Takeaway: Use tooling for an up-to-date, central source of truth on your vendors.

For more on this, check out this webinar on "How privacy and security can crush third-party vendor reviews, as friends."