Combating Third-Party Excuses to Your Information Security Requests

How to rebut the common (and illegitimate) excuses used by third-parties for not complying with your information security due diligence requests

• By Evan Francen
• Aug 02, 2019

Some third-parties (or vendors) will think of every excuse in the book for not completing your information security risk assessment. The fact is, there are very few valid excuses.

In this article, I’ll cover a recent real-world example where a vendor used came up with no less than 10 excuses. It takes some creativity to come up with so many excuses for not completing one questionnaire!

We’ll take each excuse and address it with a rebuttal, one by one. Use this article as a reference for your own third-party due diligence.

The foundation of every third-party relationship is just that, the relationship. Relationships with third-parties are just like relationships between people. A good relationship is based upon mutual trust and transparency.

When someone in a relationship fails to provide clear answers to legitimate questions you have about the nature of the relationship, it should erode trust and force you to act.

This is especially true in a customer/vendor relationship where the customer is supposed to be the one in power. As a customer, you deserve answers, NOT excuses.

What better way to demonstrate a point than to use a real-world scenario? In this scenario, the vendor came up with at least 10 excuses over the course of nearly four months for not complying with their customer’s request. Ready? Here we go.

Disorganization and stalling

This scenario starts with the vendor not knowing how to handle an information security due diligence request. Sometimes a vendor doesn’t legitimately know how to handle a third-party information security risk management questionnaire or inquiry, but sometimes they’ll use disorganization as a stalling tactic (slow responses), or both characteristics apply. You decide.

March 25: The customer reaches out to the vendor’s salesperson to inquire about the completion of the customer’s third-party information security risk management questionnaire. The salesperson responds on the same day but isn’t sure where to send the questionnaire internally.

March 25 through March 29: There are back and forth communications between the customer and vendor, some between them and some internally. The communications are related to trying to find the right person within the vendor’s business to complete the questionnaire.

April 1: The vendor finds the right person to receive the questionnaire, and the request is forwarded to them.

April 2 through April 9: No response from the vendor.

April 10: 16 days have elapsed since the initial customer request. Vendor responds with their first (potential) excuse.

Excuse #1 – The NDA Excuse

“Due to the information included in the questionnaire you sent, we need an NDA signed prior to completion. I have attached a copy of our NDA. Can you please return a completed/signed document?”

Seems like a reasonable request. Maybe it’s not an excuse at all. Hard to tell at this point, but the customer should, and does, comply. It’s important to note that an NDA might already be in place as part of the existing relationship, and sometimes the vendor uses the NDA request as a time stalling tactic. Customer completes and signs the NDA from the vendor on the same day.

April 11 through April 21: No response from vendor.

April 22: Twenty-eight days have now elapsed since the initial customer request. Vendor responds with their second excuse.

Excuse #2 – The Third-Party Excuse

“Thank you for completing the NDA. Due to confidentiality %REDACTED% does not supply security information via a 3rd Party. I have attached a summary of our Corporate IS Security Policies.”

What? On the surface this might seem like a legitimate policy, but in today’s business environment, it’s not feasible in many circumstances. Cloud services and software as a service (SaaS) are commonly used for a variety of things, third-party information security risk management just being one of the many. At this point, there are serious seeds of doubt appearing in the relationship.

April 23: Customer responds to the vendor: “In the cloud-based climate we all operate in today (and with %REDACTED% being a provider of cloud/hosted services) I find it hard to believe that you will be able to continue to operate with this policy.

I do appreciate you sending your Corporate IS Security Policies, however these do not cover the breadth or depth of areas that %REDACTED% needs addressed.

Given the fact that you cannot complete our questionnaire (and based on our policy requirements), we have three choices that I can see – none of which are terribly appealing;

1. %REDACTED% manually creates an excel version of our questionnaire that I can send to you to complete (you can then send this back via a secure encrypted method).
2. %REDACTED% sends an assessor onsite to interview you (and/or others), validates evidence and documents all of the findings into a report that can be validated.
3. %REDACTED% discontinues doing business with %REDACTED%.

Since options 1 & 2 will be quite time consuming and labor intensive for %REDACTED%, I will need to review further before proposing a solution. Option 3 is also not a preference for me – but truthfully, I’ve never had anyone refuse to use our tool before."

April 24 through July 14: 82 days pass with no response from the vendor, and now 112 days have passed in total.

July 15: Vendor responds with excuses #3 through #10. Some of these are classic excuses.

Excuses #3 through #5 – Credibility

If the NDA and third-party excuses didn’t work, why not attack the credibility of the customer’s process, tools and/or questions? 

That’s exactly the tactic this vendor decided to try next.

Excuse #3 – The scoring used is arbitrary.

The customer uses VENDEFENSE where everything is scored and measured. Scoring and measurement are essential to management. You can’t effectively manage the things you can’t measure, but let’s explore the meaning of “arbitrary.”

Arbitrary – “based on random choice or personal whim, rather than any reason or system."

VENDEFENSE scoring is far from random and certainly not based on personal whim. The same scoring is applied to each vendor every time.

The beauty is that vendors are always evaluated on a level playing field, and the logic is simple. The logic, in its simplest form is better security = less risk = higher score.

The math behind the score is a more complicated, but the logic is simple. The math behind the score must remain confidential (for now) because disclosure would lead to gaming the system.

The personal whim part of the arbitrary definition is vetted through applying the opinions of more than a dozen seasoned information security experts, with more than 200 years of combined experience. The vendor’s excuse is baseless and invalid.

Excuse #4 – The questionnaire doesn’t comply completely to any one standard.

Another invalid excuse and one that’s logically irrelevant. For one, there is no single standard used within our industry. Should a customer choose ISO 27000, COBIT, CIS, or NIST SP800-53, or some combination thereof? The purpose of any standard is to use it as guidance and they all generally lay out the same best practices to varying degrees.

The VENDEFENSE default questionnaires are mapped to all the common information security standards without showing specific preferences to any one of them.

It’s fair to say that the questionnaires are based on all the standards as opposed to any single one of them. The reason we built it this way was to permit flexibility without compromising applicability. Again, the vendor’s excuse is baseless, illogical, and invalid.

Excuse #5 - The questionnaire doesn’t align with a risk management framework such as COSO.

This is a great example of the vendor not knowing what they’re talking about. There are two points of contention with the vendor’s argument; one, VENDEFENSE absolutely aligns with COSO guidance and two, COSO isn’t specific to information security risk management.

First, a little background on COSO, which is short for the Committee of Sponsoring Organizations of the Treadway Commission. The mission for the organization, which was founded in 1985, is to become a “recognized thought leader in the global marketplace on the development of guidance in the areas of risk and control which enable good organizational governance and reduction of fraud.”

COSO’s most referenced risk management guidance is found in their publication titled Enterprise Risk Management—Integrating with Strategy and Performance (2017). The publication is written to address enterprise risk management, not specifically information security risk management. 

These are different, but integrated things. Information security risk management is just one of many risks within enterprise risk management. There are 20 Components and Principles contained within the COSO framework, and VENDEFENSE aligns perfectly well across all of them. Another invalid excuse.

Excuses #6 through #8 - Deflecting

Another tactic that vendors will sometimes use is to deflect or blame someone else for their inability to provide answers. In this case, the vendor found two such someones.

Excuse #6 – Vendor claims they’ve been “advised by other audit firms that comply with AICPA audit standards” to not complete the questionnaire.

Really, do audit firms really advise companies to not answer third-party information security risk management questionnaires? In my 25-plus years of information security experience, this is the first time I’ve heard this excuse.

Let’s assume that we believe what the vendor is telling us. The audit firm(s) are giving advice that 1) is outside their area of expertise, 2) isn’t in the best interest of their client and 3) contains a conflict of interest. All three of which are bad.

Outside their area of expertise, meaning that audit and accounting are different than information security. Checking boxes is different than evaluating and calculating risk. Advising a client to not answer third-party information security risk questionnaires wreaks of bad advice, which can only lead us to conclude that they lack expertise in this area.

This leads to the second problem, the fact that advising a client to not answer a third-party information security risk questionnaire is not in the best interest of the client. 

If the questionnaire contains relevant and reasonable questions about information security, how could it be bad for business? Unless, I suppose, the vendor has something to hide. 

Answering the questionnaire would be great for business if the vendor is doing the things they should be doing to protect the customer’s information. Seems the opposite (or inverse) advise would be better for the client.

The third problem is conflict of interest. Many audit and accounting firms offer information security-related services, and some of these services can be used for third-party information security risk management. Services like a SOC2 report and HITRUST certification generate millions of dollars for the audit and accounting industry. 

Advising a client to not do something so that you can sell them something of your own, when it may not be in the client’s best interest is what? It’s a conflict of interest. Either the vendor received some terrible advice or an invalid excuse. Either way, it’s bad.

Excuse #7 - Vendor claims that they’ve been advised by “3rd party legal counsel” to not complete the questionnaire.

Like excuse #6 (above), this is rare. In fact, I don’t recall hearing this excuse before either. It would be good for the vendor to elaborate on why this would be true. You’d almost think that not providing answers would put an organization at more legal risk than answering. I’m not a lawyer, so I won’t give legal advice here. This won’t stop me from calling BS though.

Excuse #8: The “debatable score” increases risk to my business.

Another in a series of invalid excuses. All scores are open for debate. The word “debatable” means open to discussion or argument. Scoring is a critical part of any risk management function because it grants the scorer some level of objectivity, standardization, and defensibility.

The best, or most applicable scoring systems must be consistent and relevant. Consistent means that the scoring is applied the same way every time and relevant meaning that the characteristics used in the score are relevant to what’s being scored. The scoring in VENDEFENSE is consistent and relevant. Debate what you want beyond this.

Excuses #9 and #10 – Miscellaneous

Miscellaneous excuses are those that are used just for the sake of using them. They don’t have any significant relevance for the customer of the vendor.

Excuse #9: The questionnaire “takes over 8 hours to complete as it is usually over 250 questions (with an upward bound of 650 questions).”

Two issues with this excuse right off the bat:

1. This isn’t the customer’s problem.
2. The math is way off; therefore, this isn’t just an excuse, it’s an exaggerated one at that.

8 hours = 480 minutes. 480 minutes/250 questions = 1 minute 55.2 seconds per question (on average). How long does it take to answer a simple true/false question? Even the most unskilled information security person should be faster than almost two minutes.

How about the upward bound, 650 questions? 8 hours = 480 minutes. 480 minutes/650 question = 44.31 seconds per question (on average). Let’s test this quick. Here’s a sample question from VENDEFENSE:

The organization has transferred information security risk by obtaining insurance.

Start the clock. Wait 44 seconds. Now answer with true or false. Feel about right? Probably not.

The excuse that it takes too long to complete the questionnaire is hogwash. The average time it takes to complete the most extensive VENDEFENSE questionnaire is 75 minutes. 75 minutes is probably half as long as it took for this vendor to come up with and document these poor excuses.

Excuse #10: The vendor claims to have tens of thousands of customers and claims that it’s just not possible to complete these questionnaires “at scale.”

The last invalid excuse made by this real-world vendor is invalid again for two reasons:

1. The vendor’s inefficiency and scaling problems are not the customer’s problems.
2. One of the key points to using VENDEFENSE is scalability afforded the customer and the vendor. VENDEFENSE is built on an “assess once, use many” philosophy where the vendor can obtain one score and reuse the score across all VENDEFENSE customers (if they permit).

The fact is, there are few valid excuses for not completing a customer’s information security risk assessment questionnaire. Business is conducted on relationships and relationships, at least the good ones, are built on trust and transparency.

Resisting a customer’s legitimate request for answers erodes trust and transparency, even to the point of losing their business. If I were the organization that received the slow responses and endless excuses that this one did, I would almost certainly take my business elsewhere.