June 3, 2020
The Saasification of Vendor Assessments
Why are companies drawn to SaaS vendors? I think the reasons for this are many but if I had to sum up in a few words, I would say SaaS vendors:
- Provide an easy to use product.
- Solve a well defined and specific problem.
- Display an easy to calculate ROI.
There are thousands of workflows at companies that SaaS vendors are being implemented to help make easier, faster, less expensive and so on.
One workflow that has not been successfully solved is the vendor risk assessment. Let’s examine what is needed to successfully complete a risk assessment once a vendor has been identified.
- An internal resource needs to send a vendor a security questionnaire, as well as a request to provide supporting documentation.
- The vendor may respond quickly and they may not respond at all.
- If the vendor responds, the internal resource needs to review hundreds of questions for accuracy and context. In addition, they will need to review documentation like a SOC report, ISO certification and FEDRAMP certificate to have an accurate view of the entire picture.
- If there are areas that need further clarification (there always are), the resource needs to have a back and forth dialogue with the vendor to understand their responses further.
- The internal resource then needs to write up a summary report of all the information they reviewed and provide that to the internal buyer of the vendor.
This entire process from start to finish typically will take a professional 6-8 hours from start to finish to conduct a vendor assessment. That means if they need to conduct one assessment per week, this will add on an additional 6-8 hours of their regular responsibilities. Given that smaller companies have their Information Security professionals wear many hats, this is a process that is not easy for a professional to pick up once per week. Not only are you dealing with many different vendors and contact points both internally and externally, security questionnaire answers can vary greatly depending on the type of vendor a person is reviewing. I think many Security professionals agree that very few of them complete re-assessments of their vendors on an annual basis.
I predict what we’ll see in the next 3-5 years is the “Saasification” of the vendor assessment. What I mean by this is that the individual manual work of completing a vendor assessment will go away to something that is easy, accessible and cost effective.