As the new year begins and we’re thinking about how 2022 will differ from 2021, we wanted to take a step back and go over some of the big rocks we see gaining importance in the near future. Over the course of the next four blog posts we’ll dive deep on the trends in vendor security that will shape the future. First up is transparency.
Previously, vendor security was more reactive and manual. Companies would go through the sales process and ultimately select a vendor, but before a deal could be finalized that vendor needed to pass a security review. Oftentimes these security reviews were painful for both sides and instead of working together like business partners, it was like pulling teeth to get all of the necessary security information to complete a review.
But it doesn’t have to be that way. One of the best ways to fight back against third-party incidents is to ensure that vendors and customers take a collaborative approach to ensure appropriate security measures are in place. If we approach the relationship in the spirit of partnership, with transparency from the buyer regarding security requirements and expectations, and transparency from the vendor regarding the ability to meet those expectations, this sets the stage for a working relationship founded upon trust.
The more buyers can create an open line of communication and indicate to vendors that transparency is more important than checking all of the boxes, the better organizations will be able to work together to protect against potential threats.
According to the Whistic 2021 State of Transparency and Trust Report, 96% of those surveyed indicated they would be more likely to purchase from a vendor that is transparent about its security practices. When you proactively share your security information at the outset of the relationship, even before that information is requested, it helps speed up the process for all parties. Trust accelerates business.
Publishing and sharing security documentation and requirements
A good starting point for vendors is publishing all of their security information including completed standard questionnaires and frameworks, supporting documentation, certifications, and audits on their websites and to exchanges like the Cloud Security Alliance STAR Registry and Whistic Trust Catalog. This makes it easy for potential customers to assess your security posture before they even engage your business.
Next, vendors should proactively share that information with customers and prospects at the very beginning of the relationship to show they have nothing to hide and start building trust as early as possible, enabling the buyer to get an accurate view of any gaps that they’ll need to collaborate on with the vendor.
On the flip side, companies should be up front about what their security requirements for vendors are, what questionnaires and frameworks they use as the basis for their assessment, whether they require a SOC 2 Type II audit or ISO 27001 certification, etc. This can be included in your initial outreach to a vendor or on your request for proposal. Getting security assessments out of the way early speeds up both the buying and selling cycle and saves InfoSec teams on both sides of the transaction time and money.
Read Our New eBook: 4 Vendor Security Trends Whistic is Watching in 2022
In this ebook, we’ll dig deeper into each of these topics and provide actionable ways you can incorporate them into your vendor security strategy going forward.
Hunt for and publish vulnerabilities
As hard as quality assurance and security teams try, vulnerabilities will still make it into production code. That’s just a fact of life, but just because you may have identified and mitigated a vulnerability doesn’t mean you are helping move the industry forward. This is another area companies can work to be more transparent.
Jerry Bryant, senior director of security communication, product assurance and security at Intel touts public security reporting in Security Magazine. He says, “It’s not enough to simply identify and mitigate product vulnerabilities effectively. An important aspect of establishing security assurance is public disclosure. Industry leaders must raise the bar for transparency by making product security metrics available within the market. This should include details on internally and externally identified threats, and more.”
As we highlighted in the 2021 State of Transparency and Trust, few companies publish information about vulnerability disclosure or detailed results from their bug bounty programs. But if you want to show customers you take security seriously, you’ll be more proactive and transparent about engaging with the public about identifying and fixing potential vulnerabilities in your code. As Bryant stated, once the vulnerability has been found, be quick to inform customers and the public about it and what efforts you’ve taken to resolve the situation.
To learn more about 2022 vendor security trends according to Whistic, download our latest ebook and be on the lookout for our next blog post that will dig into the importance of standardizing how security information is shared.