EPISODE 13
Small Companies Struggle with Big Company Cybersecurity Questionnaires

EP 13: Small Companies Struggle with Big Company Cybersecurity Questionnaires

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

December 26, 2018

Kip Boyle, CEO of Cyber Risk Opportunities, talks with Jake Bernstein, JD and CyberSecurity Practice Lead at Newman DuWors LLP, about how smaller companies struggle to respond to cybersecurity questionnaires from bigger customers.

Tags:

Episode Transcript

Kip Boyle: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives become better cyber risk managers. We are your hosts, I'm Kip Boyle, CEO of Cyber Risk Opportunities.

Jake Bernstein: And I'm Jake Bernstein, Cyber Security Council at the law firm of Newman Du Wors.

Kip Boyle: And this is the show where we help you become a better cyber risk manager.

Jake Bernstein: The show is sponsored by Cyber Risk Opportunities and Newman Du Wors LLP. If you have questions about your cyber security related legal responsibilities...

Kip Boyle: And if you want to manage your cyber risks, just as thoughtfully as you manage risks in other areas of your business, such as sales, accounts receivable and order fulfillment, then you should become a member of our cyber risk-managed program, which you can do for a fraction of the cost of hiring a single cybersecurity expert. You could find out more by visiting us at cyberriskopportunities.com and newmanlaw.com

Jake Bernstein: So, Kim, what are we going to talk about today?

Kip Boyle: Today, Jake, we're going to talk about how smaller companies are struggling to respond to the cyber security questionnaires that they're getting from their much larger customers and prospective customers.

Jake Bernstein: And when you say, cyber security questionnaires, what we're talking about is the supply chain risk management that's been going on all over the place, right?

Kip Boyle: Yeah, that's right. So what's happening is that if I'm a purchaser of outside services and I'm considering doing business with one of these companies, then I'm going to want to do my due diligence to make sure that there are a good cyber risk manager. I'm probably going to trust them with some of my sensitive data, and I want to make sure that they're going to do a good job of taking care of it. And I think that the urge here is a wonderful urge. Companies should be managing the cyber risks in their supply chain. There's no doubt about that. crosstalk. There's lot of virtue in that.

Jake Bernstein: Absolutely.

Kip Boyle: Yeah. But you and I both have customers that struggle to respond to these lengthy cyber security questionnaires that they're getting from large enterprises.

Jake Bernstein: And today we're going to give you some insights into that struggle, and how we've seen our clients handle it. And it is a struggle. These questionnaires are sometimes very long, very detailed. They request documentation in addition to self-assessment on many levels.

Kip Boyle: Yeah, exactly. So the customer I'm going to talk about today is a software as a service provider to the insurance industry.

Jake Bernstein: And my client is a technology provider to large retailers.

Kip Boyle: Okay. So just let me paint out the context here a little bit more. So the economic driver again here is, these large enterprises are trying to manage their cyber risk in their supply chain, and I'm heavily influenced by the AICPA's SOC 2 Report. In that attestation, they refer to these outside organizations as, service organizations, right? Because they're performing some service for the buyer. And the issue is that it's just all too common these days for a cyber attack against a large company to go through one of their smaller partners. And if you remember the Target credit card data breach, they're absolutely the poster child for this, although it's happened to many large enterprises.

So Target the retailer, 40 million credit card and debit card numbers were breached in 2013. And after the forensics were completed, turns out that they had a supplier portal, an internet facing web app. And one of their refrigeration contractors, Fazio Mechanical, caused the compromise of Target through that connection between them. So, there's no doubt that this is a real thing. So, if you're a listener and you're managing a larger enterprise, that's a big takeaway for you, is that you are vulnerable through your service organizations. And if you are a service organization, and you're starting to get these questionnaires, or maybe you've been struggling with them for a while, know that this is because you are an attack vector.

And what Jake and I are seeing is that every questionnaire that our customers are getting is different. There's no such thing right now, as a standard questionnaire. I can't even count how many that I've seen that are different. And I'm seeing that most of them require somewhere between four and eight hours to complete. How is that track with your experience, Jake?

Jake Bernstein: That would be on the low side of time required, particularly when you look at the ones that are requiring documentation in addition to just answering questions.

Kip Boyle: Right. So it's 48 hours just to complete the first pass, wouldn't you say?

Jake Bernstein: Yeah. No, that's like first draft.

Kip Boyle: Yeah.

Jake Bernstein: A lot of the time, these are major undertakings. And the problem is that they're not optional because a lot of the times the unspoken risk is that, if you don't fill this out, you'll lose the work. And sometimes it's not unspoken. It's actually very clear, do this or else. And it's an uncomfortable position for a lot of smaller businesses to be in.

Kip Boyle: Right. So this is part of the sales cycle for these small companies, is they're describing to these large enterprises what are the benefits of working with them. And then part of that larger sales conversation is, oh, by the way, please fill out this cyber risk questionnaire. So, most sales organizations have zero experience with this, right? They don't know how to answer these questions. And so they have to figure out, okay, who can I turn to in my organization as a service organization, who's going to help me fill out these questionnaires and how are we going to know what's a good answer? Right? It's hard to know.

Jake Bernstein: It is, and one of the problems here is that, some organizations will look at these questionnaires as sales blockers-

Kip Boyle: Hmm.

Jake Bernstein: ... and it will be incumbent on the sales team to clear the blocker. And so what I've seen is, let's just say attempts at answering these that are done by sales guys who don't know and who don't understand either the legal force of what these questionnaires do and are for, and who probably don't understand the substance of what they're answering either. And that is a potential problem. That's as big of a problem as not answering the questionnaires at all.

Kip Boyle: Yeah. It's a big struggle. And the temptation, as you said, to just put down what you think the customer wants to hear, crossing your fingers and hoping that you never actually have to prove that, that it never actually comes up again, that temptation must be really strong to avoid the hours and hours of work that goes into actually putting together a reasonable response.

Jake Bernstein: It is. And in fact, it's particularly challenging when you are in the position of knowing you need this sale, right? Like, we're in a growth mode, we need this revenue. A lot of the times, the smaller companies aren't ready for these types of questionnaires. And it's a real unknown as to how these companies are supposed to deal with it, particularly since, as you said earlier, there's not a standardized form.

Kip Boyle: Right.

Jake Bernstein: They're all-

Kip Boyle: There's not a standard form, there's not standard questions, right. It would be one thing if it was... Well, we see the same questions all the time, but they keep coming in a different order, or they're packaged differently. But it's not even that good.

Jake Bernstein: It's not. And unfortunately, you also tend to see, for any given customer, the same form given to all vendors. And the problem with that is that all vendors are somewhat different.

Kip Boyle: Mm-hmm (affirmative).

Jake Bernstein: So what you see is a great deal of redundancy or irrelevancy, but determining what's relevant or redundant takes a certain amount of expertise.

Kip Boyle: Yeah.

Jake Bernstein: And a lot of our clients don't have that expertise.

Kip Boyle: Right.

Jake Bernstein: So these questionnaires are intimidating, but they're very important.

Kip Boyle: Right.

Jake Bernstein: So how has your particular client struggled with this?

Kip Boyle: So it's been so enlightening for me to be a part of some of my smaller customers and the work that they're doing, because I've actually seen both sides of this. I've been on actually both sides of this transaction here. I've been part of a larger organization, and I've consulted two larger organizations that are trying to get their arms around this issue of cyber risk supply chain management. So I understand why they're doing this, but until I started assisting my smaller companies and some of them pursuing smaller deals, I really didn't understand the impact that it has on them. So this has been very, very good for me to see.

But the one thing that I would say, you were touching on it a moment ago, which is, large enterprises are evaluating every one of their vendors using a one-size-fits-all process. And then the other corollary to that is, their perspective, not surprisingly, is, well, what would we do? Right? So if I'm a multi-billion dollar organization and I'm buying services from a multi-million dollar and sometimes small million dollar service organizations, that's just unrealistic to expect. For example, that you're going to even have a single, dedicated cybersecurity person in these smaller service organizations, isn't realistic. Their budgets can't even afford a single dedicated person.

So that's another mismatch that I see. And some of the deals that I've seen these questionnaires show up for, you're talking about a $500 a month service offering-

Jake Bernstein: Exactly.

Kip Boyle: ... for a SaaS software or something like that. And even though a SaaS price point of $500 a month is probably giving the service organization, say, an 80% or a 70% margin, these small companies are saying, look, if I respond to these questionnaires in full and all the follow-up activities, I could lose all my profit for the first year or more-

Jake Bernstein: Or more.

Kip Boyle: ... because the deal size is not that great. And so, one of the things that I've seen my customers do-

Jake Bernstein: I just want you to pause there for one second, just do some quick math. I have a client who I've worked with on this, and a lawyer is about $350 an hour. If it takes 10 hours, that's $3,500 just having your lawyer help you fill out one of these forms-

Kip Boyle: Right.

Jake Bernstein: ... and to get the documentation ready at $500 a month.

Kip Boyle: That's a $6,000 annual deal, and I've just lost $3,500 of my $6,000 deal to my attorney.

Jake Bernstein: Exactly. And even if you assume a 70% margin, you've spent 80% roughly of your profit through the entire first year to answer one questionnaire.

Kip Boyle: Yep. Yep. And so the economics are pretty straightforward, and that's exactly what's going on.

Jake Bernstein: But here's the real pain point, is that the economics are straightforward, but what if you have your sales guy fill out the questionnaire and then something goes wrong?

Kip Boyle: Hmm.

Jake Bernstein: Now, suddenly what seemed painful by using up 80% of your profit for the first year could become the company litigation. That's even worse. So, it's not as simple as saying, oh, well, the money doesn't work, so we're just going to fill this out quickly. You could do that, but that is a huge risk.

Kip Boyle: And we know that small companies are in the business of taking risks.

Jake Bernstein: Yeah.

Kip Boyle: But I think that would exceed the risk appetite of just about anybody. Maybe Elon Musk would sleep well at night knowing that, he's a big risk taker, but I don't know-

Jake Bernstein: Perhaps he is.

Kip Boyle: ... how many other people would?

Jake Bernstein: Yeah. It's a real rock and hard place situation.

Kip Boyle: Yeah, definitely. So, the other thing that I'm seeing my customers say, are things like, maybe I should just not pursue these smaller deals. Maybe I need to have a minimum deal size, and I'm just not going to consider anything less than that. That's one way of dealing with this. Another way that I've seen my customers deal with this, and they've actually got some traction with this, and I was surprised but glad, is, they'll allocate a certain amount of effort to filling out a questionnaire. But then beyond that... Let's say, they'll say, well, I'll spend two hours working on this, but anything beyond two hours and you, the large enterprise are going to have to pay us to do that, $200 an hour, $250 one hour at cost, whatever it is.

And essentially what the small organizations are saying, look, we understand that you need to do this due diligence, but we can't afford to keep up with you. So you are going to have to shoulder the vast majority of the cost of conducting this due diligence. So they're actually pushing back and they're actually pushing the costs back onto the large organizations. It doesn't work in every case, but I've seen it work.

Jake Bernstein: And that's a big risk, because you're basically telling your customer, that's fine, we'll do this, but we're going to put this cost onto you. That could backfire.

Kip Boyle: Yeah. It absolutely could backfire. But if you are in a situation where the economics are as we've just described it, and you're thinking to yourself, well, if I push back and ask for them to pay for it, and if they choose not to, oh, well, I'm not going to take the deal because I can't make any money on it. So it's almost a can't-lose proposition because if they say, yes, well, then you might be able to win some actual profitable business. So-

Jake Bernstein: It's true. It's true.

Kip Boyle: So, it pencils like that. On the other side of the equation, if you look at the large enterprise perspective, if they say to a small service organization, well, no, we're not going to pay for you to do the due diligence, just forget it and, deal off, we're not going to go any further, well, one of the consequences to that in terms of economic innovation, technical innovation, is, these large enterprises just simply will not be able to take advantage of a lot of the new, latest offerings in the market space, because these are startup organizations, small companies. And that's where all the innovation's coming for. So there's a real potential blocker here for more innovation and more economic benefit if these smaller deals just can't seem to be put together.

Jake Bernstein: Yeah, I totally agree. There's not a good answer for this yet at all.

Kip Boyle: No.

Jake Bernstein: And it is becoming, I think, a serious concern for smaller companies.

Kip Boyle: But a recommendation that I would give to a large enterprise that's in this situation is, think about, how can you scale the due diligence burden? Right? So, if you know you're going to be taking a look at a service organization, how can you thoughtfully decrease that burden so that it's affordable to that small organization? What things can you do there? Can you cut down the questionnaire? Maybe you can come at it from, what 20% of all these questions, if I just ask 20% of them, which ones would give me 80% of the risk management benefits?

Jake Bernstein: Exactly. You apply the pareto principle as much as possible anywhere you can. And that's always a good idea. I think though, that what larger organizations can do and should do, is take more of a rifle approach as opposed to a shotgun approach, to risk management with their smaller vendors. In other words, maybe I'm just restating the pareto principle here, but be mindful of what you're asking. And if you're asking a vendor who's never going to touch personal data about their privacy policy, you're just wasting their time.

Kip Boyle: Right.

Jake Bernstein: Right. And maybe this goes beyond the pareto principle, which looks more at what 20% gets you 80% of the way there. I would actually say that if you're asking irrelevant questions, you're actually outside the pareto principle in general, you're in the left field and you shouldn't be.

Kip Boyle: And I want to give you a great example of that, because this came up recently. So a large enterprise had passed off a questionnaire. And in the questionnaire, there were a bunch of questions about Payment Card Industry Data Security Standard, PCI DSS. And the person at the large enterprise was an administrative person, not a cyber security expert. And so they just said, here, fill this out. And the credit card data wasn't at all in the scope of this deal. And yet here are all these questions about PCI. And so the service organization pushed back and said, we're not going to answer questions about PCI because it doesn't make any sense in this context.

But the person at the large enterprise didn't understand enough about what was going on here to be able to say, you know what, that's totally reasonable. Let's strike those out of the questionnaire. Instead, they dug in their heels and they said, oh, no, you have to answer every one of these questions, no matter what. And the tone that the large enterprise representative took was, oh, are you trying to pull a fast one on me? Are you trying to cut down your workload at our expense? It was a very accusatory response-

Jake Bernstein: Well, and-

Kip Boyle: ... and not well informed.

Jake Bernstein: And that goes back to the issue where you have a sales guy who sees it as a sales blocker on the vendor side, got the same problem on the big enterprise side, right?

Kip Boyle: Absolutely.

Jake Bernstein: You have account managers or in-house vendor managers who are... They're acquisitions guys and... Maybe that's the wrong word, resources, resource management, things like that.

Kip Boyle: Well, they're buyers.

Jake Bernstein: They're buyers. They just want to get this stuff done.

Kip Boyle: That's right.

Jake Bernstein: Right.

Kip Boyle: Yep.

Jake Bernstein: They're not cyber security professionals. They don't understand the significance of what they're asking. They just know that, in order for this to be signed off by security and legal, that these questions have to be done.

Kip Boyle: So it's a deal blocker for them.

Jake Bernstein: It's a deal blocker for them, and they want to get their job done. I understand, I get it, but the situation is probably going to get worse before it gets better. You're going to need to have both sides take a reasonable approach to dealing with this.

Kip Boyle: Right. So let's talk about what that might be like. So, one of the things that I'm seeing out there in the market space is vendors that are starting to emerge, and this is exactly the pain point that they're trying to address. So a vendor that I've been hearing a lot about lately is called Security Scorecard. And what they do is they provide a credit report, style numeric score, and it says, this organization, based on our interrogations, the vulnerabilities that we're seeing in their internet facing servers, and us looking at the chatter about them that's going on in social media, here's their score in a 300 to 800 range. So it's a lot like the individual credit scores that you and I have maintained on us in order to say how good of a payer are we, in a credit-granting situation.

So, I actually have a very, very large customer that's saying, if we can't do vulnerability scans as part of our due diligence because the service organization won't let us, well, then we're going to go buy a report from Security Scorecard, and we're going to use that instead. And so, there are definitely vendors, entrepreneurs trying to come into this space and provide a way of addressing this pain point. The thing about Security Scorecard that I looked at and I thought was really interesting is, it seems like that would be a very easy thing to game. crosstalk.

I would love to know more about how they do that. Because I talked with one customer who got scanned by Security Scorecard, and they were just livid at some of the gross inaccuracies that they saw in that report because Security Scorecard thought that they were scanning all the right networks. But they got it wrong. They over-scanned in some places, under-scanned in others. And so it's a pretty blunt instrument at this point.

Jake Bernstein: It is a blunt instrument. And I'd say that it's also very automated. Automation is really important in security, but it is also a major risk factor when you over-automate without thought. And Security Scorecard is a useful tool, much like Qualys. Volume scans and network scans are useful tools. I totally am on board with the concept, but it's too tempting. It's dangerously tempting to say, well, we're going to make decisions based off Security Scorecard. And-

Kip Boyle: On the assumption that it's high fidelity-

Jake Bernstein: Yeah.

Kip Boyle: ... high quality data. And the thing about it is that, if you look at the questions on the questionnaires, only a very small fraction of those questions actually have to do with internet facing security postures. There's-

Jake Bernstein: Absolutely.

Kip Boyle: ... so many in there that you need to know about, their change control and that sort of thing, and Security Scorecard and other vendors like them, I don't know how they could address those things. So it's just one little sliver of what's going on.

Jake Bernstein: What's interesting, just a last thought here, is that because GDPR is everywhere and ever present, did you know that there's actually a specific right to basically appeal automated decision processes? If you're an individual... The GDPR doesn't apply to businesses, it only applies to individual, natural persons. But the concept is that, we're already recognizing that an automated decision process can introduce a level of unfairness into a procedure. Right? And think about, as an individual... A credit check is a good example, it's an automated process. And if you think something's wrong with that, you actually have the right to challenge that under European law.

Now imagine if you're a business in this situation and for whatever reason, there is some automation going on, perhaps something like Security Scorecard, and it's causing you to lose business. Where do you appeal? Who do you go to?

Kip Boyle: Yeah.

Jake Bernstein: And so it wouldn't surprise me at some point, if that idea of an appeal, of an automated decision process, is extended.

Kip Boyle: Yeah. It reminds me of a customer of mine who got black... They ended up on a spam blacklist. And the details of that are really interesting. But the problem that they had was that there was an automated decision to blacklist them. And so it essentially took their email systems offline because nobody would accept an email from them anymore. And it took-

Jake Bernstein: Yeah.

Kip Boyle: ... the better part of a week for them to find a living human being who had the authority to revoke the blacklist status. And it was very painful for them.

Jake Bernstein: Yeah. No. That's exactly right.

Kip Boyle: So, well that wraps up this episode of the cyber risk management podcast. Today, we talked about how smaller companies are struggling to respond to the cybersecurity questionnaires of their much larger customers. Thanks everybody. We'll see you next time.

Jake Bernstein: See you next time.

Kip Boyle: Thanks everybody for joining us today on the Cyber Risk Management Podcast.

Jake Bernstein: Remember that Cyber Risk Management is a team sport and needs to incorporate management, your legal department, HR and IT for full effectiveness.

Kip Boyle: And Management's goals should be to create an environment where practicing good cyber hygiene is supported and encouraged by every employee. So if you want to manage your cyber risks and ensure that your company enjoys the benefits of good cyber hygiene, then please contact us and consider becoming a member of our cyber risk-managed program.

Jake Bernstein: You can find out more by visiting us @cyberriskopportunities.com and newmanlaw.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein

  Newman DuWors LLP

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.