What key criteria do you use to assess vendor response in the wake of a compromise or failure?
Sort by:
I also want to speak directly with the vendor’s Chief Security Officer (CSO).
I do as well. Whenever a vendor or customer experiences a compromise, I prefer to have an off-the-record conversation with their head of security to understand what happened and what actions were taken. The type of data involved and the vendor’s importance to our company also influence how much attention we give to the incident. If the breach is immaterial, such as exposure of business email addresses, it may not warrant significant follow-up.
I would also like to speak with the CISO for many vendors we deal with, but often legal teams on both sides prevent that from happening.
Before we consider re-enabling a vendor after a compromise, we require third-party attestation that remediation has been completed. Cutting off connectivity is our immediate response, and we won’t restore it until a recognized third party provides a clean bill of health.
I completely agree with you. Having a known third party—one of the few reputable firms—attest to the vendor’s remediation is essential. Without that assurance, I can’t imagine continuing the relationship. We need documentation from a trusted source confirming the vendor is secure.
For me, the primary criterion is adherence to contractual obligations. I want to ensure that breach notification requirements are followed and that I receive regular updates. It’s also important to receive a root cause analysis. Another critical factor is that the vendor does not release our name as an impacted party.
Transparency and responsiveness are crucial. If a vendor is evasive or avoids answering questions, that’s a major red flag and a signal to consider ending the relationship. Third-party attestation is table stakes for us.