The problem with vendor security questionnaires

← more insights
Sign with security related instructions

We encounter vendor security questionnaires constantly and, to be fair, they are a decent place to start. A good vendor security questionnaire forces suppliers to explain where they store information, who can access it, whether subcontractors handle the data and what security controls they claim to operate. That is useful. Vendor security questionnaires work far better than asking no questions at all.

Vendor security questionnaires also create accountability. Once a supplier makes specific claims in writing, organisations at least have something concrete they can assess later if problems arise.

The problem starts when organisations quietly begin treating the completed questionnaire as proof.

We see this all the time. A supplier answers “yes” to encryption, multi-factor authentication and access controls, so everybody relaxes and moves on. But vendor security questionnaires only tell you what the supplier says about itself. They do not tell you how consistently the supplier operates those controls in practice.

That distinction matters because many organisations never move beyond the questionnaire stage. They never ask for independent audit reports. They never validate operational practices. They never speak directly with the people running the systems. Instead, they confuse paperwork with verification.

Interestingly, mature suppliers usually reveal themselves quite quickly during the vendor security questionnaire process. They answer clearly, explain limitations honestly and provide supporting evidence when requested. Less mature suppliers often rely on vague language, broad assurances or obvious discomfort once questions move beyond marketing material.

Think about how you collect the questionnaire responses.

We still see organisations sending vendor security questionnaires around as Excel spreadsheets or Word documents attached to emails. That creates its own privacy and governance problem immediately. Detailed operational information about suppliers, systems and security controls suddenly starts spreading across inboxes, laptops, downloads folders and shared drives.

It sounds theoretical, but spreadsheet handling mistakes happen regularly. In the PSNI breach in Northern Ireland, staff accidentally published a spreadsheet containing hidden information relating to almost 10,000 police employees because data still existed inside a hidden worksheet.
ICO summary of the PSNI spreadsheet breach.

Researchers who track spreadsheet-related breaches also found that email-based spreadsheet sharing contributes heavily to accidental disclosure incidents. (SpreadsheetWeb analysis of spreadsheet-related breaches)

The questionnaire also becomes a blob. By that we mean the different questions don’t get treated differently. In one spreadsheet an organisation can report good practices in one place and terrible practices in another place. You should monitor the risks associated with terrible practices more than the others but if it is all just part of an overall score in one document, it is difficult to do.

Vendor security questionnaires absolutely provide value. They help organisations begin due diligence and they often uncover important warning signs early. But organisations should understand what vendor security questionnaires actually are: a starting point for verification, not the verification itself.