Cloud vendors are a critical part of any organization’s operational ecosystem today. Conducting vendor security reviews is a necessary part of your security team’s due diligence before you agree to onboard a third party, especially if they will be integrating with any of your business-critical systems. Vendor risk assessments, though, can include any number of tasks (most requiring manual effort). Some top "tactics" employed by the team responsible for evaluating vendor risk would be vendor security questionnaires, third party risk ratings, various vendor management systems, Google searches of past breaches, reviewing security artifacts such as pen test reports and SOC 2 reports, and even incorporating security terms into legal obligations within a contract (like Dropbox). It's no wonder vendor security reviews can often take up weeks, especially for higher-risk vendors.
Often, before a formal vendor review kicks off, teams are asked to figure out a baseline risk assessment of said vendor to figure out what follow-up review of the vendor’s security posture needs to be done. This can be a frustrating process and includes hours of culling through public security information found on the vendors’ marketing websites, third-party security review sites, and/or Google search results.
At Conveyor, we’re making the trust-building process between customers and vendors run as smoothly and efficiently as possible. Our ultimate vision is to make security questionnaires go away, by helping organizations automate the process of sharing their security information with customers, and making it easy (and secure) for customers to self-serve answers to their vendor security questions, and get access to proof of security posture (SOC 2 reports, pen tests, etc). But that vision is still a little ways away, and so in the meantime, we'll share with you some of the top factors to consider when conducting a vendor security review. (Bonus: we've collected this information on hundreds of vendors already. Head to our Vendor Trust Reports directory to get instant, ungated access today).
So, what are "trust indicators"?
Trust indicators are a reflection of how mature a companies’ security practices are, and how much they prioritize security as an organization. Understanding these indicators will give you a solid basis for assessing vendor risk, and help you quickly understand how their security posture matches up with your business requirements.
Each of the 18 trust indicators listed below should be accessible via public information, often on a company's Security or Trust page, or the Privacy section of their website. The weight you put behind each of these will depend on what’s most important to your business. To see an example of how we scored some of the top B2B SaaS vendors on these criteria, you can check out our new Vendor Security Reports on popular SaaS vendors.
Key Trust Indicators & How to Assess Them
More on Trust Indicators
Joe V. is the Director of Trust and Security at Conveyor, and the brains behind these trust indicators. Joe has been a part of hundreds of implementations of GRC programs. Through those experiences, he has learned about a variety of techniques to conduct vendor security reviews. Joe also runs our Questionnaire-as-a-Service program, and as such has responded to many dozens of customer security questionnaires from the perspective of the vendor. No one knows better how important (and how tedious) vendor security reviews can be.
Our Trust & Security Team has also spent hours scouring the internet for the security postures of hundreds of popular SaaS vendors so you can get a head start on your next security review. Skip the vendor chasing, and the back and forth of spreadsheets. Check out our SaaS Vendor Trust Reports here, and save hours off your next vendor security review.