Occasionally you’ll see surprising news that a company in the security industry had sensitive data that became exposed, or some other catastrophic failure that affected their clients’ businesses. For example, there was the Crowdstrike outage in 2024, and LastPass has experienced multiple data breaches. Shouldn’t all cybersecurity and compliance companies be safe from data breaches?
No company is invulnerable to a cyberattack. However, the sad fact of the matter is that even in the security and compliance industry, not every provider diligently follows security and compliance best practices.
Just because a company provides compliance software and their platform can check all the controls against a compliance standard, that doesn’t necessarily mean they have a well-run cybersecurity program. The onus is on you, the customer, to thoroughly vet every security and compliance provider you do business with.
Let me repeat that. Like it or not, you are responsible for ensuring that your security/compliance vendors are fully dedicated to the highest security and compliance standards.
Vet Your Security and Compliance Vendors
Every compliance software company has to meet the bare minimum for standards of compliance. However, there is a wide variability from one vendor to another in terms of the strength of their program. You’ll even find variability from one Assessor to another. What may pass muster with one Assessment firm may not fly with a different one. Over the years, I have seen organizations quite literally doing “Assessor Shopping” where they seek out a lenient Assessor to facilitate their lacklustre approach to security and compliance.
What that means is that a security/compliance vendor may be able to pass their annual compliance assessment, but that doesn’t mean they’re running a tight ship all 365 days between assessments.
With proper vendor vetting, leveraging someone with substantial experience, one can usually identify the compliance software providers that cut corners.
A strong vendor vetting process is a good way to mitigate risk, but I would recommend to trust the instincts of experienced reviewers. More often than not, the paperwork looks fine, but getting into detailed conversations with the vendor security team will often inform the reviewers far better than simply their last annual compliance reporting.
How to Evaluate a Compliance Service Provider
You’ve probably heard the phrase, Trust but verify. It applies to cybersecurity and compliance providers as well. It’s natural to assume that any company in the industry should be trusted to protect your data. But the fact is that the security sector is just like any other: not every founder knows what they’re doing — and some companies only truly care about making money while giving lip service to a strong security and compliance program.
So it is absolutely critical that you verify every vendor you work with — before you sign anything — that they indeed have a strong security and compliance program you can trust.
How to Audit Your Vendors for Security and Compliance
Review their reports
Use the tools you have at your disposal. Start by requesting their compliance paperwork, Attestation of Compliance (AOC), and other reports for various standards that they’re going up against. Don’t just receive the reports and assume that having an AOC means a company is compliant. Just because a compliance software company can provide an AOC, that doesn’t mean they have a robust security program.
Instead, go over the documentation with a fine-toothed comb. The contents of those reports can be very illuminating if you pay attention to the details. For example, I’ve seen vendors provide the wrong AOC, which didn’t cover any of the relevant locations or services under contract.
What further muddies the water is that certain standards, such as SOC 2, allow organizations to define their own controls to meet the criteria of the standard. The net result is that each organization could meet the criteria using completely different controls. This puts the onus on you to carefully review the latest vendor annual report. I would strongly recommend reviewing their controls and doing a sanity check to determine if the strength of their security and compliance program aligns with your expectations of your vendors.
Ask pointed questions
Dig around outside of the compliance reporting you received for review. Find out who’s in charge of security and compliance at the organization — it SHOULDN’T be their IT personnel. Ask for specifics about how they run their program and who runs it.
Don’t be shy about getting the information you need. I’ve seen cases where the vendor had a dedicated department for replying to inquiries about their security and compliance. Those people weren’t experts in compliance, but an outer layer to field basic questions. If the person you’re talking to can’t provide the answers you need, then escalate to the next layer, where the actual experts are.
Check their history for breaches
Go online and do a quick search. Find out if there have been any inappropriate data disclosures or breach notifications. If so, that doesn’t necessarily mean you shouldn’t do business with the vendor, but it should definitely inform your next conversation with them. Find out how long ago they experienced issues, be cautious when learning what kinds of changes they’ve made, and get details.
At the end of the day, it should be a clear sign of the vendor’s priorities if they’re experiencing issues with their security and compliance stance, or violating their agreements with their customers by exposing sensitive data inappropriately.
Find out who does what
The security and compliance provider should have some type of a sanity check on their program — and it should be more than just their third-party assessment. Their operational day-by-day personnel who run their systems shouldn’t be doubling as their compliance team, because they need someone external to keep them accountable. Instead, they should leverage a third party or at least a completely segregated department under separate management as internal quality assurance for the organizational security and compliance program.
Trust your gut
Pay attention to the nature of your interactions with the vendor, and don’t discount any gut feelings you have. Seasoned security and compliance professionals can tell pretty quickly if they’re dealing with an organization that doesn’t take compliance very seriously. It just shines through.
This isn’t a game. Vetting your vendors is critical to the protection of your organization. Take these issues seriously, and don’t have any patience for a security provider who doesn’t display the same level of seriousness. If you’re getting brushed off when vetting a vendor, take that as a major red flag.
Related: How to Tell if Your Vendors Are a Weak Link in Your Security
Hire an Expert Security Consultant to Assist
If you don’t feel like you’re capable of performing a thorough review yourself, bring in a compliance expert to help you evaluate potential vendors. These are important decisions that could affect the viability of your business.
The last thing you should do is cross your fingers and hope you’ve made a good choice. Selecting a vendor that’s exposed to very sensitive data of the organization involves very high levels of trust that requires a depth of vetting and ongoing trust.
Should You Be Concerned About AI Use?
Artificial intelligence has become the big next thing in software, and compliance platforms are no exception. But AI has also raised a lot of concerns when it comes to security. AI introduces potential vulnerabilities, so it’s important to know how the technology is being used.
Ask a lot of pointed questions of any provider that embeds AI into their software platform.
- Is the service provider sharing sensitive data with a third party AI provider, or are they containing data within their own system?
- If they are sharing with a third party, who are they sharing it with? Dig deep into this.
- How is AI being used?
- Where exactly is the data going?
- What controls are implemented to prevent exposing sensitive data to a third-party AI system?
- Is the software provider actually using artificial intelligence, or is it essentially just coded automation?
Never assume that a software company is fully vetting the AI engine they use in their compliance management platform. Not everyone in the compliance industry does a good job of articulating exactly how information and data is being leveraged in conjunction with their systems.
Watch for Red Flags
You’ll probably recognize most red flags when you see them, but there’s one warning sign that’s worth calling out.
I’ve seen some security and compliance vendors instantly cough up internal documentation when asked for compliance reports. They throw their internal policy and internal procedures over the wall, handing over various pieces of evidence that they’ve leveraged for their own compliance program.
That’s a huge red flag, which should spark serious concern. Here’s why.
If a compliance and security provider shares their internal and external vulnerability scans and penetration testing reports, they’re essentially exposing mountains of sensitive internal data to you, without any filters. It’s very disturbing when an organization that’s responsible for protecting sensitive data is willing to hand over their own sensitive data to third parties.
If they don’t seem to be protecting sensitive data of their own company, how can you be confident that they’ll protect yours?
What they should do instead is provide their compliance reporting from their Assessor, such as an Attestation of Compliance (AOC) or equivalent, depending on the standards they comply with.
A knowledgeable reader should be able to review the AOC and make certain inferences — for example, which services were targeted as part of the assessment? What services do they offer that were excluded from scope? There’s a lot that can be gleaned from an AOC, and you won’t have access to sensitive information.
TCT includes an accompanying document to our AOC so reviewers can understand what they’re reviewing and better interpret the documentation.
How Does TCT Stand Up Under Scrutiny?
Officially, TCT isn’t required to be compliant with many particular compliance standards. Most of the data that we have in our systems would be categorized as personally identifiable information (PII), intellectual property (IP) and sensitive internal information. There isn’t a lot that obligates TCT to specific standards.
That said, from Day One, we chose to submit to the most prescriptive standard that existed at the time: the Payment Card Industry Data Security Standards (PCI DSS).
Not only does TCT leverage and use the PCI framework, we’ve also chosen to subject ourselves to a third-party Qualified Security Assessor (QSA) led assessment, which we go up against annually. This annual third-party assessment ensures external accountability so that we can’t just say that we’re compliant. We prove it.
Any time a client asks to see details about our own security and compliance practices, we happily provide an AOC. We can produce the report at a moment’s notice, and we’re proud to show our customers how strong our security program is.
We’ve had many dozens of audit and assessment firms that have validated and vetted our company. They put us through the ringer, and we were pleased to go through it, because it meant that our clients were taking their own security seriously. And we knew that they would be impressed with their findings.
Find a Partner You Can Trust
Don’t do business with a security/compliance company until you’ve thoroughly vetted their company. While it would be great to trust them all simply because they are security professionals, it’s critical to walk in with eyes wide open.
Your service providers should take their own security at least as seriously as you take yours — and they should be able to clearly demonstrate it. Find these companies, and you’ll have more than a transactional vendor. You’ll have a partner you can trust.
Get your personalized demo
See what TCT Portal can do for your organization
