Will Your Compliance Software Vendor Protect Your Data? - Episode 217

Most companies overlook vendor vulnerabilities in compliance. On this episode, the CU Guys reveal hidden risks in vendor relationships, from breaches to vetting gaps. Discover tactics for evaluating vendor security, asking the right questions, and spotting red flags. Protect your data by understanding the stakes—data breaches, penalties, and reputation damage. This episode is essential for those managing compliance and security, offering actionable insights to safeguard your organization.

Episode Transcript:

When we got into this space, my background had been in IT security and compliance for quite some period of time before we even started TCT. It’s been enlightening, I guess it’d be a good way to put it, to see the variability out there in organizations that one would think has your best interests at heart, but certain people never cease to amaze me.

It is possible that your compliance vendor is going to have an issue. If you want to talk about a more recent event where a vendor had let organizations down, then just go chitchat with some of the educational institutions about the good old Canvas breach.

The reality is that organizations depend on vendors. As a consumer, it’s your core responsibility to make sure that your third-party service providers are doing all of the things and staying bare minimum compliant. But hopefully, you have a much better sense of their care and diligence surrounding security, especially in this space, being a compliance software vendor. You got to make sure.

As you’re thinking, “We should be able to trust the compliance software vendors,” at the end of the day, it’s where their bread and butter is, being in the security and compliance space. One would think, if anybody should, it should be them.

The cold hard truth is every compliance software vendor is different. Not every single one of them is doing their due diligence to the best of their capabilities. Some people that have landed into this space are people with bags of money that just wanted to make a software product so that they could go turn a profit. At the end of the day, it’s buyer beware.

Some organizations take it very seriously. Others don’t and do bare minimum checkbox-style compliance just to get a piece of paper that tells you that they’re secure.

It’s a challenging landscape to figure out as you’re going through the process. Who am I dealing with here? Is this somebody that’s worthy of that trust or not?

There are several telltale signs that you can pick up as you’re going through evaluation and after active engagement. The stuff we’re talking about today certainly isn’t exhaustive, but it’s going to give folks a good solid starting point for going through and having their eyes open as they’re going through the process.

Todd Coshow:
Indeed. What types of vetting needs to take place during the sales process?

Because that’s where you’re really going to get to ask your questions before the answers don’t really matter.

Adam Goslin:
During that initial evaluation phase, as a consumer, you should feel empowered to ask very pointed questions around security and compliance status and approach, and things along those lines.

There’s a given here. Most organizations are going to start with, “Is this going to work for me? Functionally, is it going to work for me?” As you’re going into that process, one of the things that I’d recommend to folks is: are they only talking about the functionality aspects, or are they coming out through that sales process with, “Hey, we really want to talk to you about our security stance and how we do it”?

It should be a good sign when the vendor’s raising the security topic before you’re dragging them kicking and screaming into it.

When the security topic comes about, that’s where you pay attention. Who’s giving the answers about security and compliance? If it’s high-level, fluffy, directional stuff from a sales dude or dudette, then that should raise some concerns.