What The Goonies Teaches Us About Vendor Security

Written by Nick Sorensen, CEO of Whistic

Why companies and their vendors should take a collaborative approach to cyber threats

One of the biggest learnings I took from the recent SolarWinds and Microsoft Exchange hacks is breaches aren’t going away. They’re likely to get bigger as usage of applications built in the cloud continues to skyrocket.

According to Google Cloud, SaaS software sales are expected to double in the next five years. That growth will create more opportunities and entry points for hackers to gain access to your customers’ data if you don’t take the necessary steps to mitigate against risk from your vendors.

The cloud is helping us become more and more efficient and deliver better products and services to our customers. But because it also makes us more interconnected as businesses than ever before, we leave ourselves vulnerable to attacks.

As business owners, we want to provide our employees with all the tools and applications they need to get their jobs done, but businesses are only as secure as their weakest link. As a result, we need to weigh the benefit of providing that application against the risk it may pose to our data.

That’s why I propose we take a more collaborative approach to vendor security. If I’m secure, and you’re secure, and your vendors are secure, and on down the line, we’ll have a better chance to stave off attacks from bad actors in the future.

How The Goonies explains vendor security

To illustrate this point, I’d like to share an example from one of my favorite movies, The Goonies. For those unfamiliar with the plot, it’s about a ragtag group of teenagers that have to band together to find a treasure that will help save their houses from being sold to the bank. Along the way, they come across the Fratellis who try to thwart their plan and steal the treasure for themselves.

The Goonies consist of three distinct groups:

• Mikey, Mouth, Data, and Chunk
• Brand (Mikey’s brother)
• Andy and Stef

Each of them on their own wouldn’t be able to navigate the labyrinth of clues, booby traps, riddles, and challenges along the way to One-Eyed Willy’s treasure, but working together and highlighting the strengths of each member, they were able to both defeat the Fratellis, collect the treasure, and save their homes.

To start, they needed Mikey’s leadership, vision, and belief in the plan. But they also needed Andy’s piano skills, Data’s ingenuity, Brand’s strength, and the reinforcements Chunk brought through his friendship with Sloth. If the group doesn’t have all those things, the plan falls apart and the bad guys win.

And that’s what businesses and vendors need to do to combat hackers—work together. This might seem like an oversimplification of a very complex problem, but without working together and truly partnering with your vendors, the odds of you winning in the end and escaping without being breached are slim to none.

Where do we start?

The foundation of any successful partnership is trust, but many in cybersecurity are moving to a zero-trust model for vendor security. There are good concepts in zero-trust, but from my perspective, it has a branding problem. What we suggest is taking the Trust But Verify model, but flip it—Verify Then Trust.

I know this seems like it’s just semantics, but at a certain point, if we truly want to partner with our vendors, we need to trust them. And I believe the key to building trust is being transparent. Show that you have nothing to hide.

Starting off your vendor relationships with transparency will create the trust needed for you to collaborate and work together with the knowledge that everyone with direct and indirect access to your Data is doing everything they can to protect it.

Building transparent relationships

Currently, there can be a lot of friction for businesses when they’re vetting vendors. Most of this friction is due to the fact that the vendor assessment process is a black box exercise, and there’s little transparency on either side of the table. We need to end this adversarial relationship with our vendors, where it’s like pulling teeth to access information about their security posture.

A lot of the friction is associated with the administrative task of collecting the information and doesn’t do a lot to improve an organization’s security. We recommend businesses publish their security posture publicly and make it easily accessible to customers and prospects that want to assess them.

You can start by publishing it prominently on your website, but you should also include it on vendor directories. You might be reluctant to publish all of your security documentation, which makes sense, but you can also include an NDA or require approval in order to access the more sensitive information about your organization’s security posture.

Lastly, you should be open to continuous assessments. A vendor assessment is just a snapshot in time of your posture. Things change and when they do, make sure you’re keeping all of your customers up to date.

Be vigilant about your own security

Anything you expect your vendors to do, you should be willing to do yourself. While big third-party data breaches like SolarWinds and Microsoft Exchange get all the headlines, it is still possible for you to be the reason your customer data is compromised.

A good first step to prevent that from happening is to self-assess. Run your business through the same questionnaires and scrutiny you put your vendors through. Have processes, policies, and controls in place to ensure your business is secure.

Make transparency the expectation

If enough vendors adopt transparent security practices, that is going to be what companies want and expect when evaluating new vendors. But that can only happen if we band together and demand that transparency.

To bring this full circle, as more and more SaaS startups enter our vendor ecosystem through this explosion in cloud computing in the coming years, their security practices might not be as mature. But that doesn’t mean we shouldn’t work with them.

As buyers, we can act as mentors and help them to elevate their practices, while also taking advantage of the advances in technology they offer. Teach them why transparent vendor security practices are essential and how being transparent can set them apart from their competitors.

As the old saying goes, “A rising tide lifts all boats,” and if we find ways to work together and be more open about what we all can do to protect each other against the coming onslaught of potential hacks, the more secure our data will be. And when the process seems overwhelming, and the bad guys are going to win, just remember: Goonies never say die!