Cloud vendors are a critical part of any organization’s operational ecosystem today. Assessing vendor risk is a necessary part of your security team’s due diligence before you agree to onboard a vendor. That assessment, though, can take on so many different forms - questionnaires, scorecards, various vendor management systems, Google searches, reviewing vendor security artifacts, and even incorporating security terms into legal obligations within a contract (like Dropbox).
Often, before a formal vendor review kicks off, teams are asked to figure out a baseline risk assessment of said vendor to figure out what follow-up review of the vendor’s security posture needs to be done. This can be a frustrating process and includes hours of culling through public security information found on the vendors’ marketing websites, third-party security review sites, and/or Google search results.
At Conveyor, we’re making the trust-building process between customers and vendors run as smoothly and efficiently as possible; so today, we’re tackling the topic of how best to do an initial evaluation of your vendor or to put it another way, the “who-the-heck-is-this-vendor-and-how-can-I-figure-out-a-quick-overview-of-their-security-posture” part of the vendor review process (i.e. typically step one).
To do this, we’ve put together a list of the top trust indicators you should evaluate when starting a vendor security review.
So, what are trust indicators?
Trust indicators are a reflection of how mature a companies’ security practices are, and how much they prioritize security as an organization. Getting a good understanding of these indicators will give you a solid basis for assessing risk, and help you quickly understand how their security posture matches up with your business requirements.
Each of the 18 trust indicators listed below should be accessible via public information. The weight you put behind each of these will depend on what’s most important to your business. To see an example of how we scored some of the top B2B SaaS vendors on these criteria, you can check out our new Vendor Security Reports on popular SaaS vendors.
Key Trust Indicators & How to Assess Them
More on Trust Indicators
Joe V. and Tania K. are on the Trust and Security Team at Conveyor, and with their powers combined, came up with these trust indicators.
Joe has been a part of hundreds of implementations of GRC programs. Through those experiences, he has learned about a variety of techniques to assess vendor risk and maturity. Tania has supported numerous clients on privacy and vendor management initiatives, including many of the Fortune 500. Collectively, the two of them have over 15 years of experience building trust & security programs internally and in a consulting capacity.
Our Trust & Security Team has also spent hours scouring the internet for the security postures of several popular SaaS vendors so you can get a head start on your next security review (aka - you don’t have to pull these trust indicators yourself!). Check out our SaaS Vendor Security Reports here.
Go forth and build trust
Using these trust indicators can help your team quickly create a baseline for assessment across vendors and get a high-level picture of how trustworthy a vendor might be based on the transparency of information they provide upfront. These are just a starting point on assessing vendor risk, but hopefully can help you simplify evaluation from the beginning.