Has a vendor ever violated your trust, or failed to acknowledge an incident?

161 views5 Comments

VP, Director of Cyber Incident Response in Finance (non-banking), 10,001+ employees
It's not a question of if somebody's going to get breached, it's when, and it's how they respond to it that really matters. We've had a handful of third party vendors and customers who have been victims of breaches or ransomware or whatever just this year, and seeing how they do things and monitoring their incident has really helped me develop my playbooks, and I learned how I'll want to run future incidents.

Vendors can attest to something all day long, but you see the reality of it where that rubber meets the road. We had a third-party vendor that attested to certain things and then something bad happened. When we looked at some of the fundamental things that happened during that incident, we found several breaches of the contract. We had to ask them, “What are you going to do about that?”
Board Member, Advisor, Executive Coach in Software, Self-employed
On the proactive side, Lacey had their breach a couple of years ago when I was in Cylance and we had their stuff. I knew their chief compliance officer and CISO. They called me before it hit the press and I said, “We're square—I have your back and you have mine. Thank you.” And when we had a mishandling of data on our services team at Cylance, we reached out to customers. We didn't have to do a breach notification because we only had data indicating that the data was potentially exposed because of a stupid mistake where somebody put something on a shared drive because they were playing with hacking tools, etc., for a pen test. We personally called all of those customers.

I was on the line with all of them and we went through exactly what happened. They said, “Wow, from the looks of this, you didn't actually have to tell me.” It increased their trust in us. I said, “I know we mishandled your data and I feel an obligation to tell you we did it. It didn't cause any harm that we can find, but there's still a possibility that you could be harmed because of it if we didn't find something that did occur. I need you to be prepared because your penetration test report was public-facing with no access controls, and even though I can't find any fingerprints to show that somebody touched it, I'll assume that somebody did.”
2 2 Replies
CISO in Software, 501 - 1,000 employees

We've made it a policy decision that if there has been a breach—even if it's a small thing like an email going to the wrong person—we'll tell the people involved. Because you're right, it can breed a lot of goodwill.

Board Member, Advisor, Executive Coach in Software, Self-employed

We actually got increased business out of it from a couple of customers because they felt good that we were that concerned. It did cause some tension with a few of them, but if we’d swept it under the rug and it came out later, we would have destroyed the business with them.

Global CIO & CISO in Manufacturing, 201 - 500 employees
At a former organization, BPO had an incident. I had previously spoken with the CISO, who’s a top-notch guy, and I'll probably use their incident response as our baseline. It was pristine—it covered everything, and they pulled in all the right folks. But they made some other changes, which is the other vendor management piece. They made some remote connectivity changes, but didn't communicate those to us. The incident was not properly escalated to us, it was escalated to one of the customer experience teams. I had to be on a weekend call to make sure I had the right permissions in place to allow specific traffic through.

Even though their initial response was great, their post follow-up was not as good. That's the challenge that we have with vendors and integrations—even more so when you have 20-40 different tools to manage, review and recertify, etc. How do you stay sane? Which tools you use is just a matter of resources. Trust is cute, but you need to have reviews and controls.

Another vendor that we had at that company was compromised through one of the third-party tools they used. It was a diagnostic nightmare of the simplest review. They were a security company, and the security tool that we were using and some of the tools that they were using did not have controls. It was egregiously horrible. I sat there saying, “Oh my God, we're going to have to do a deep dive and analyze every ounce of data that was on the system that our vendor used for us.” Luckily it was not PII data, or anything that could roll back to us, but their credibility was lost. I didn't care how they responded, or if they remediated it within minutes. After knowing that they didn't have the right controls in the tools they use as a security development vendor, I was done. There was nothing they could do to redeem themselves, and it was at least two incidents.

Content you might like

Poor efficiency of the detection and threat hunting solution (SIEM/SOAR, EDR solutions)49%

Too much time wasted on false positive alerts64%

Lack of security skills and defined processes46%

Not enough demand in the market6%


567 views1 Upvote

Adding MDR and other advanced security28%

Consolidating vendors48%

Expanding product breadth33%

Automating processes52%

Outsourcing strategies (ex: SOC or NOC)19%

Differentiating from competitors25%

Focusing on reputation building14%

Moving more to the cloud17%

Redefining MSP metrics3%


452 views2 Upvotes