Third party vendors are a great resource for your business—but how do you know how to choose the right third party vendor?
Third party vendors are able to specialize in a particular skill/project and as a result, efficiently provide their services to many customers. The customers, subsequently, get better prices and faster results than if they tried to do the same work themselves.
It is the classic example of skill specialization that allowed early communities to grow and modern economies to develop.
Nevertheless, vendors come with their own risks, as a group of around 5,000 schools discovered in early January when the vendor they used for their website hosting was taken offline by ransomware.
Similarly, AWS was affected by multiple periods of downtime in the past two months that consequently disrupted any company using AWS for hosting.
Because of the risks, therefore, it is important to establish a strong process around selecting a vendor so that, hopefully, their mistakes or weaknesses don't affect your business.
In general, that process should, at a minimum, include the following:
1. Selection requirements
These are the criteria used to select the vendor in the first place. Criteria likely include requirements around security, uptime, support, responsiveness, experience, etc.
2. Success criteria
Define what a successful engagement will be for you and ensure that the selected vendor can meet that definition.
3. Performance Review
Determine ongoing checks to verify that the vendor is continuing to meet your standards of excellence and performance.
For penetration testing vendors (about which we know a thing or two), that process may translate to:
Third Party Vendor Selection Requirements
These requirements are focused on the vendor performing the penetration test.
Can the vendor identify the consultant(s) who will actually be doing the work?
How many years of experience does the consultant(s) have doing penetration testing? Does the consultant(s) have certifications or degrees in the field?
What is the vendor's methodology? Is it largely automated or mostly manual?
Can the vendor share a sample report that showcases their methodology and ability to communicate risk and vulnerabilities?
Is retesting included in the test?
How does the vendor maintain the security and confidentiality of your data and vulnerabilities?
Success Criteria For Your Vendor
This section is focused on your ability to get the most out of the engagement and whether or not the vendor can support that goal.
What does a successful penetration test report look like? Are you expecting a report without any high risk issues? No issues?
Are there security monitoring tools that detected the penetration test activity? How quickly did they trigger?
Does your security monitoring cover all areas that were tested?
Was any element of testing blocked? Should it have been?
Vendor Performance Review
For an ongoing contract, a regular performance review ensures that the contract always maintains value.
Is the service just as relevant to your team today as it was when it was signed?
Are you using the service/vendor to their full potential?
Is the product/service provided still meeting the selection requirements and success criteria?
Following this simple process to ensure you work with the best vendors will help you mitigate the risk that one of your vendors is your weakest link.
If you’re considering working with a third party vendor and would like to know more, feel free to contact us for more information.