Several years ago I worked for a startup That sold software-as-a-service. Part of my role was to help the sales teams navigate the vendor assessment processes that prospective buyers had. I learned a few things about vendor assessment processes and questionnaires being on the receiving end of them multiple times a week.

In no particular order: the buyer’s didn’t see value in it (it was imposed by their security team), the questionnaires were gameable and didn’t actually evaluate risk, the people doing the assessment were often not well equipped and they were point in time. I think the root cause of all of this is misaligned incentives.

Early on in that role, I made the “mistake” of being transparent with a particular client and things went sideways. New in the role, I chose to disclose more information to prospective customer’s security team in what I naively thought would demonstrate that we took security seriously. That disclosure required several more weeks of work on my team’s part and prolonged the sales cycle for that opportunity. I know that the customer’s security team wasn’t being punitive, they were responding to information as they were supposed to but it sure felt like I wasn’t being rewarded for my additional transparency. Eventually we addressed all the concerns and the deal went through. I learned through that experience only to answer the specific questions that were asked; that there would be no reward or benefit for providing anything else even if it helped the customer or prospect make more informed risk decisions.

In the vendor security assessment process, there are competing objectives amongst the participants. The sales person wants to sell and any roadblock is to be navigated around as efficiently as possible, security is such a roadblock. The buyer just wants to buy the product and start using it; the security process is just something to get through and they want the vendor to handle it quickly. While the seller and buyer are goal aligned, they’re not aligned with the buyer’s security team and that sets up the competing objectives between the buyer and the seller’s security practitioners.The seller’s security team becomes a defacto proxy for the buyer and seller’s goal of getting through the procurement process. The seller security team wants to get through the security evaluation of the product as quickly as possible; their job is to present their security controls in the best light possible. The buyer security team wants to make sure that the purchases are sufficiently secure, any negative information they receive flies in the face of that and requires investigation and treatment. Buyer security team’s are also likely under time pressure either from the buyer themselves (because they need the product) or because of the backlog of other evaluations they need to get through. The opposing security teams converge on an unintentional optimization: minimize information flows by asking as little as possible, say as little as possible.

Better questionnaires, shared assessment platforms and security scorecards based on observables are useful tools but they don’t solve the core problem of the participants in the process don’t have the same goal. They’re pain killers meant to make an objectionable process less painful. What we need is incentives that align behaviour towards a secure digital supply chain. I don’t have a solution but these are the questions I would ask:

1. If we want to understand what risks arise from working with a vendor, how do we get them to tell us without them feeling like it will cost them business or increase costs above the revenue they get from you? What’s the benefit to them besides your money?
2. If we want (business) buyers to care about buying secure, how do we get them past checkbox thinking? How do we incentivize them without the big stick of compliance? Can we reward business buyers that choose secure solutions?