Will Your Compliance Software Vendor Protect Your Data?

Did you know that your vendors could be your greatest security vulnerability? Just ask educational institutions about vendor security related to the Canvas breach.As an organization dependent on vendors, it’s your core responsibility to ensure that third-party providers are performing their annual security and compliance obligations in alignment with your requirements. 

And that includes your compliance vendors.

But surely you can trust your compliance software provider, right? If anyone is taking security and compliance seriously, it must be a compliance vendor. The cold, hard truth is that not every compliance software company is doing their due diligence. Some vendors are just code jockeys that think they’ve found a great niche for turning a profit.

Over decades in this space, I’ve learned that some organizations take these responsibilities seriously, while others do the bare minimum just to check the boxes so they can say they have a piece of paper that says they are secure. The challenge is knowing who you’re dealing with. You absolutely do not want to find out the hard way that your trusted vendor turned out not to be worthy of that trust.

There are several telltale signs you can pick up on during the evaluation phase and once you are actively engaged with a vendor. The cues in this article aren’t exhaustive, but they’ll give you a solid starting point for vetting your compliance software vendor.

How to Audit Your Vendors for Security and Compliance

Vetting During the Sales Process

During the initial evaluation phase, you absolutely should ask very pointed questions about their security and compliance status. 

While you must learn about their software’s functional capabilities, watch out for a compliance company that only talks about their product’s functionality. They should approach the conversation with a clear message like this: “We want to let you know that we care about your security, and here is how we do it.”

It’s a good sign when a vendor raises security issues before you bring them up. When the topic does arise, notice who is giving the answers, and how detailed they are. Are you getting high-level, fluffy directional statements from a sales representative? Or do they bring the head of their security and compliance program into the conversation to answer your questions with granular transparency?

Furthermore, any organization doing things appropriately should ask you for an NDA before revealing the inner detailed elements of their security program. If they start spewing sensitive details, or their compliance reports, without an NDA in place, that should raise an alarm: any company that isn’t vigilantly protecting their own security related information won’t prioritize the protection of your data.

When you receive their actual compliance reporting (whether an Attestation of Compliance, or public reports from another standard, such as SOC 2 or ISO 27001), don’t simply accept it and assume it’s up to snuff. Actually read it. 

• Does the documentation cover the specific services you plan on consuming? 
• Does it cover the physical locations from which the vendor’s offering is provided? 
• Was the assessment or audit performed by a third party, or is it self signed?
• Are they running their program as an annual compliance event, or gathering and validating evidence for their program throughout the annual compliance cycle?
• Check the reports for exceptions noted during their last assessment. Exceptions provide a glint into how well the program is actually run.
• If there were exceptions, were they circumstantial? 
• How transparent are they about the response and the correction?

With any vendor, there’s a strong trust mechanism in the relationship, so it’s important to get to the bottom of those questions and gain the reassurance you need. You may be surprised to find a vendor specializing in compliance software that isn’t adequately compliant, themselves. It happens, and more often than you think. 

As part of the security and compliance vetting process, if the vendor is willingly distributing documentation that should be kept internally, this should be a huge red flag. Examples would include: 

• Distributing detailed scan reports
• Copies of their detailed penetration testing reports
• Detailed internal policies. 

If the vendor is not protecting their own organization through distributing sensitive internal information on a need to know basis, then what else do you really need to know?

And, as always, if something just doesn’t feel right, trust your gut.

Keep Vetting During the Engagement

Once you’ve signed a contract and are actively engaged with a vendor, don’t turn off your antenna. Better yet, as with any vendor, your compliance vendor needs to be included in your annual vendor vetting process. 

That said, as you move forward with your vendor relationship, continue to keep an eye out for any warning signs that you may have missed during the sales cycle. Watch for indicators of internal stress or structural issues. Here are some warning signs you shouldn’t ignore.

Support and Operational Philosophy 

If you submit a support request and the organization is clearly trying to do as much as possible with as little staff as possible, it’s a strong indicator of their operational philosophy. If they shortcut the support of their existing client base, what other corners have they already cut? If your vendor is all about profit and less about security, you have the information you need to make an informed decision.

A major red flag is receiving an automated response from a ticketing system but then not hearing from a live human being for days or weeks. Also look for internal process issues — for example, did you request a task that was never completed, or wasn’t done correctly? This indicates a lack of peer-to-peer reviews and a lack of quality in the personnel performing the work.

Change Control and Functional Releases 

When an organization does a functional release of their software, does everyone fear it? If a release is synonymous with a period of bugs and production problems, it indicates a serious lapse in change control maturity and security-related processes.

A mature organization should have developers performing unit testing, followed by an integration layer test to ensure everything plays together. There should be peer-to-peer code reviews and security reviews to determine if the new code impacts the existing security stance. 

If they can’t get the baseline requirements for change control right, you can’t have a high confidence level that they’re paying close attention to security.

How to Tell if Your Vendors Are a Weak Link in Your Security

Instability and Turnover 

Massive turnover and constant position changes are signs of internal instability. If the organization is unstable internally, there is a much greater chance that it will negatively impact their security and compliance stance.

Acquisitions 

Watch out if the company gets gobbled up by a larger behemoth. Usually, there’s a halo period where the new owners just observe. But two to three months after an acquisition, the parent company starts making modifications to monetize their acquisition. They suddenly have multiple sets of HR, accounting, developers, and security people.

I have very infrequently seen an acquisition go smoothly without something invariably going sideways. This is a key indicator of whether the organization will remain effective at securing your data. Watch closely, ask questions.

Incidentally, this is one of the reasons that TCT is committed to never being acquired. We’ll never compromise on our clients’ trust in us.

The Ultimate Red Flag

Of course, the ultimate warning sign is if the vendor lands with their name in the lights because of a security-related problem. Run.

What Makes TCT Trustworthy with Your Data

There’s a distinct reason why TCT is different from other compliance software vendors. We didn’t develop the TCT Portal with a mission to land with our feet in the sand on a beach.

My driving force is to help people in this space, period. I saw the pain I dealt with in my own compliance career, and I didn’t want others to go through it. I wanted to provide services to the security and compliance community that are both helpful and cost-effective.

You won’t find these warning signs at TCT, and we welcome detailed scrutiny from our prospective customers. We launched the TCT Portal in 2015, and we still have clients that started with us on Day One. We take our obligations to our customers seriously. 

If you’re seeing these red flags with your current vendors, we would be happy to have a conversation and see how we can help your organization stay protected.