How to Evaluate the Cybersecurity of Your Vendors

In a constantly evolving technology landscape, it is important for businesses to properly evaluate their cyber-readiness and practice responsible connectivity, and one key element of your company’s cybersecurity posture is the security of your vendors—including product and software makers, contractors and integrators. SIA recently sat down with Net Force’s Josh Chin to discuss how corporate security teams can best assess the cybersecurity and readiness of their vendors.

In the physical security industry, there are some companies that are very aware of and focused on cybersecurity and others that “have a long way to go,” says Josh Chin, co-founder and managing partner of Net Force and a member of the Security Industry Association (SIA) Cybersecurity Advisory Board. Just in time for Cybersecurity Awareness Month, here are some of Chin’s tips for security practitioners and buyers on assessing the cybersecurity of your vendors.

  • Determine your business requirements: First, when purchasing a security solution, determine what your business requirements are and speak with different stakeholders on what is needed. “It may seem like it’s slowing down the process, but actually it speeds [it up] in the long run because you’re getting buy-in from everybody across the board,” says Chin.
  • Ask the right questions: “I would always ask potential vendors if they are willing to subject their products, their solutions, their company to a red team attack—literally having an adversary try to take apart their solution brick by brick,” says Chin. “The vendors and the people who can do that are the ones you want to start talking to.” Chin recommends that buyers ask their prospective vendors to show that they’ve done penetration testing and who their pen testers are and, ideally, select vendors that are willing to subject themselves to at least one pen test or red team engagement each year. “Anything they bring to the table here, it should be evaluated and scrutinized, because at the end of the day, you have to consider supply chain issues—they are part of your supply chain,” says Chin. Similarly, vendors should not be afraid to undergo penetration testing. “[Letting] your product get poked and prodded, attacked…you need that because if you don’t find it first, somebody else will,” says Chin. “What the mindset needs to be is not to assume that your solution is secure.”
  • Leverage cybersecurity questionnaires in your RFPs: Providing a cybersecurity questionnaire in your RFP has become commonplace on larger projects and gives the information you need to review a vendor or prospective solution provider’s cybersecurity posture. This can be an effective tool for requesting things like penetration testing results or independent cybersecurity attestations.
  • Encourage collaboration between cybersecurity and physical security teams: “The traditional 3G mindset does not work anymore – the guns, guards and gates. From a physical security perspective, if you came from law enforcement, we think we understand security from a traditional sense, but when you go to 4G [guns, guards, gates and gateways], that equation changes completely and it’s a new generation of devices,” says Chin. “It takes a big man to understand that, and it takes an even bigger man to swallow their pride and go ask for help,” he says. Both cybersecurity and physical security teams need to come to the same table and start having a conversation together, be unafraid of asking questions and work together to support and enable business.  
  • Do your due diligence: When evaluating potential vendors, Chin says, you’ll need to assess how each organization governs itself and also look for the product security perspective. Ask how they manage and address risk, since any risk would be shared with you once a vendor is part of your supply chain.
  • Look for the right certifications and standards: Chin recommends evaluating whether potential vendors have industry-agnostic certifications and standards. Adhering to government-issued product standards, like NIST 800-171, or ensuring that professionals hold credentials like SIA’s Security Industry Cybersecurity Certification (SICC), for example, “adds a ton of credibility,” says Chin.
  • Raise your voice: Remember that you have your business requirements, and you’re the caretaker, maintainer and end user, says Chin. Part of “raising your voice” is making a business case and explaining the risk to the board, and another part is knowing when to push back with vendors who aren’t providing the cybersecurity information you need. “We’re all going to swim together or sink together,” Chin says.