An Open Letter to Executive Leaders: True Diligence in a World of Digital Risk
An Open Letter to Executive Leaders: True Diligence in a World of Digital Risk
Moving Beyond the SOC 2 Badge, A Leader’s Guide to Verifying Vendor Security
Dear Executive Leaders,
Your organization’s resilience, its data, and its reputation are increasingly dependent on the security of your third-party technology vendors. As recent supply chain incidents have shown, accepting a vendor’s “open letter” on security or a SOC 2 report at face value is no longer sufficient. True diligence requires a deeper, more critical approach.
This letter outlines a strategic framework for what your teams should verify before onboarding and during your relationship with any technology provider.
The Illusion of Automatic Trust
A vendor’s marketing materials and public statements are designed to build confidence, but they are not a substitute for evidence. Here’s why a healthy skepticism is critical:
- SOC 2 Reports Have Nuances: A SOC 2 Type 2 report is a critical piece of evidence, but it is a point-in-time audit. Its value depends entirely on the scope of the systems audited, the exceptions noted by the auditor, and the relevance of the controls to the services you are consuming.
- “Open Letters” Lack Teeth: Public declarations of security commitment are not legally binding. They often omit crucial details about incident response timelines, data handling practices, and the security posture of their own critical vendors (your fourth-party risk).
A Framework for Real Vendor Diligence
To effectively manage risk, we recommend focusing your review on three core areas: Governance, Technical Controls, and Operational Resilience.
- Governance & Evidence What to verify:
- Full Audit Reports: Request and review the complete, recent SOC 2 Type 2 report (or equivalent, like ISO 27001). Pay close attention to the auditor’s opinion, the list of exceptions, and any excluded systems.
- Vendor Risk Management: How does the vendor assess its own suppliers? Ask for their policy on managing fourth-party risk.
- Contractual Commitments: Ensure your contracts and Data Processing Addendums (DPAs) contain explicit, enforceable security clauses. This includes clear Service Level Agreements (SLAs) for security performance and breach notification.
- Technical Controls & Data Management What to verify:
- Data Flow & Access: Secure a clear data flow diagram. Understand exactly what data the vendor will access, process, and store. Scrutinize their Identity and Access Management (IAM) policies, especially for privileged accounts.
- Encryption Standards: Insist on transparency regarding encryption for data at rest and in transit. Ask for details that go beyond simple marketing claims.
- Vulnerability Management: What is their process for scanning, patching, and responding to vulnerabilities? What are their disclosure timelines? Request to see recent penetration test summaries.
- Operational Resilience & Incident Response What to verify:
- Incident Response Plan: Confirm the existence of a tested incident response plan. Your agreement should contractually obligate them to notify you promptly of any breach affecting your data or services.
- Business Continuity: Review their Business Continuity (BCP) and Disaster Recovery (DR) plans. Look for evidence of regular testing and clearly defined Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
Actionable Steps for Your Leadership Team
- Mandate a Vendor Security Standard: Use the framework above to create a non-negotiable checklist for your procurement and security teams.
- Make Diligence Continuous: Vendor security is not a one-time, onboarding event. Schedule annual or semi-annual reviews.
- Empower Your Team to Ask Tough Questions: Encourage your security and IT leaders to engage directly with a vendor’s technical team, not just their sales representatives.
Security is a shared responsibility, but accountability begins with you. By moving beyond surface-level assurances, you build a more defensible enterprise and protect the trust you have earned with your customers.
Sincerely,
A Fellow Advocate for Cybersecurity Excellence