Note: Details have been omitted to protect the anonymity of both the client and their vendor.
Several months back, a client we had been performing ongoing security testing for reached out to us with another request. Their legal counsel had hired a firm to audit a prospective vendor who would be handling extremely sensitive information for them, so they needed to be sure that the vendor was following both the relevant compliance requirements and cybersecurity best practices. The problem was, the report had come back, and was essentially useless. It was not much more than a list of questions and responses with no real validation of the controls.
We explained to our client and theirs the level of validation that would be required for a true audit, including onsite verification of their controls, review of their processes, and testing – penetration testing, vulnerability scans, and even social engineering to test the security awareness of their staff and the the staff at their outside data centers. Our client agreed, and although their vendor wasn’t thrilled to have to start the audit process over again, they too agreed to do what was needed to win the contract from our client.
Several months later, the initial findings had been reviewed by all and many items that should have been caught by the first auditor were reported with detailed recommendations on how the vendor could resolve the issues. The vendor was able to be part of the discussions, and consideration was given to their input as long as the solution still met compliance/best practice standards. We validated the vendor’s remediation of the open items, and the client and vendor can now move forward with confidence and a much greater understanding of how they will work together to protect the information at stake. The lesson here is that by all parties (client, vendor, and the auditor) focusing on the mutual goal of securing the data, egos, politics and personal feelings can all be put aside for a very successful engagement that left even the twice-audited vendor praising our process as they realized the benefit they received (as well as all the other clients who work with them and will now also be protected by these additional measures).