It’s no secret the number of third-party security incidents continues to rise annually. Last year started with the SolarWinds breach, ended with Log4j, and virtually every day in between was marked with news of one breach or another.
Recent research by Whistic found that nearly half of all businesses surveyed experienced a data breach in the last three years with more than 80% of those being caused by third-party vendors. Cleaning up after a breach can be costly and not just from a financial perspective ($4.24M/incident according to IBM), but also the damage it does to your brand and customer trust is often insurmountable.
With that potential threat ever present, cybersecurity leaders now require most vendors to pass a security review before being brought into their environment. Despite that knowledge, most teams often put the security review off until the very end of the sales cycle, which can cause deals to push to the next quarter or in some instances causes them to lose the deal outright because they didn’t respond quickly enough.
In fact, according to the State of Vendor Security report, 90% of sales reps said they have at least one deal push per quarter because they can’t respond to security reviews in time.
In the past, this was because of how difficult the vendor assessment process was for both vendors and customers. Up until recently, the primary tools for managing vendor assessments were spreadsheets and emails, which made it difficult to keep track of where vendors were in the process and ensuring each assessment got completed, especially considering the volume of vendors assessed each month.
As a result, customer/vendor relationships were often adversarial instead of collaborative. It was almost like pulling teeth for customers to track down all of the information needed to initiate the assessment and it would only get worse once they started engaging directly with the vendor.
However, as technology has advanced in recent years those relationships are starting to improve and clients are beginning to look at their vendors as partners when it comes to security, which is the way it should have always been.
It is in this environment that Whistic joined together with other top technology vendors, including Okta, Airbnb, Zendesk, Asana, Atlassian, Snap, Notion, TripActions, and G2, to form the Security First Initiative with the goal of making transparency between vendors and customers the expectation instead of the exception. The reason being that transparency leads to trust, which ultimately leads to better protection against third-party incidents for everyone involved.
In a nutshell, the vision of the initiative is this: The future of vendor security must be built on a foundation of collaboration...[It’s] the only way to meet the needs of both buyers and sellers in the ecosystem. It’s also the most efficient way to make transparency the expectation in vendor security, and when that happens, everybody wins.
Making it easy for vendors to consolidate all of their security documentation, standard questionnaire responses, certifications, and audits into an easy to share security profile, ensures that companies have no excuse not to share their security information as early as possible in the sales cycle. Taking the extra time to build out a profile before your customers ask can save countless hours that infosec and cybersecurity teams once spent reacting and responding to one off requests.
An added benefit for vendors is that a transparent security posture can also be a differentiating factor between you and your competition that ultimately leads you to close more business. According to the 2021 State of Trust and Transparency, 90% of respondents indicated that when a company publishes their security and compliance information publicly it increases their trust in that business. Additionally, 96% of respondents said they would be more likely to purchase from a vendor that is transparent about security posture.
If you would like to join the Security First Initiative or would like more information, you can read more about the initiative here.
Originally published in Cyber Defense eMagazine – May 2022 Edition 147 Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.