Has a vendor ever violated your trust, or failed to acknowledge an incident?
Board Member, Advisor, Executive Coach in Software, Self-employed
On the proactive side, Lacey had their breach a couple of years ago when I was in Cylance and we had their stuff. I knew their chief compliance officer and CISO. They called me before it hit the press and I said, “We're square—I have your back and you have mine. Thank you.” And when we had a mishandling of data on our services team at Cylance, we reached out to customers. We didn't have to do a breach notification because we only had data indicating that the data was potentially exposed because of a stupid mistake where somebody put something on a shared drive because they were playing with hacking tools, etc., for a pen test. We personally called all of those customers.I was on the line with all of them and we went through exactly what happened. They said, “Wow, from the looks of this, you didn't actually have to tell me.” It increased their trust in us. I said, “I know we mishandled your data and I feel an obligation to tell you we did it. It didn't cause any harm that we can find, but there's still a possibility that you could be harmed because of it if we didn't find something that did occur. I need you to be prepared because your penetration test report was public-facing with no access controls, and even though I can't find any fingerprints to show that somebody touched it, I'll assume that somebody did.”
CISO in Software, 501 - 1,000 employees
We've made it a policy decision that if there has been a breach—even if it's a small thing like an email going to the wrong person—we'll tell the people involved. Because you're right, it can breed a lot of goodwill.
Board Member, Advisor, Executive Coach in Software, Self-employed
We actually got increased business out of it from a couple of customers because they felt good that we were that concerned. It did cause some tension with a few of them, but if we’d swept it under the rug and it came out later, we would have destroyed the business with them.
Global CIO & CISO in Manufacturing, 201 - 500 employees
At a former organization, BPO had an incident. I had previously spoken with the CISO, who’s a top-notch guy, and I'll probably use their incident response as our baseline. It was pristine—it covered everything, and they pulled in all the right folks. But they made some other changes, which is the other vendor management piece. They made some remote connectivity changes, but didn't communicate those to us. The incident was not properly escalated to us, it was escalated to one of the customer experience teams. I had to be on a weekend call to make sure I had the right permissions in place to allow specific traffic through.Even though their initial response was great, their post follow-up was not as good. That's the challenge that we have with vendors and integrations—even more so when you have 20-40 different tools to manage, review and recertify, etc. How do you stay sane? Which tools you use is just a matter of resources. Trust is cute, but you need to have reviews and controls.
Another vendor that we had at that company was compromised through one of the third-party tools they used. It was a diagnostic nightmare of the simplest review. They were a security company, and the security tool that we were using and some of the tools that they were using did not have controls. It was egregiously horrible. I sat there saying, “Oh my God, we're going to have to do a deep dive and analyze every ounce of data that was on the system that our vendor used for us.” Luckily it was not PII data, or anything that could roll back to us, but their credibility was lost. I didn't care how they responded, or if they remediated it within minutes. After knowing that they didn't have the right controls in the tools they use as a security development vendor, I was done. There was nothing they could do to redeem themselves, and it was at least two incidents.
Content you might like
Chief Information and Technology Officer, 1,001 - 5,000 employees
Clients hire us to do the maintenance and support of their environments, though we do a lot of project services for them as well. It’s a tough question for us because we've outsourced to ourselves and that was a very ...read morePoor efficiency of the detection and threat hunting solution (SIEM/SOAR, EDR solutions)49%
Too much time wasted on false positive alerts64%
Lack of security skills and defined processes46%
Not enough demand in the market6%
211 PARTICIPANTS
Chief Information Officer in Healthcare and Biotech, 1,001 - 5,000 employees
Our quickest spend reduction came from end point standardization and the narrowing of standard equipment to a menu of options. A standard replacement scheduled was implemented allowing a reliable prediction of endpoint costs. ...read moreAdding MDR and other advanced security28%
Consolidating vendors48%
Expanding product breadth33%
Automating processes52%
Outsourcing strategies (ex: SOC or NOC)19%
Differentiating from competitors25%
Focusing on reputation building14%
Moving more to the cloud17%
Redefining MSP metrics3%
212 PARTICIPANTS
Vendors can attest to something all day long, but you see the reality of it where that rubber meets the road. We had a third-party vendor that attested to certain things and then something bad happened. When we looked at some of the fundamental things that happened during that incident, we found several breaches of the contract. We had to ask them, “What are you going to do about that?”