Security questionnaires as a hazing ritual
Think hard about why you are using them.
You probably know that I am not generally a fan of security questionnaires.
While the practice of asking a series of detailed security questions of a potential vendor can make sense in theory, in practice it has become a giant game of security theater. It’s one that wastes huge amount of time and doesn’t help organizations understand their risk surface in any meaningful way.
Heck, some people who request security questionnaires openly admit they don’t read them all the time.
Others have recently shown that ChatGPT can create very believable responses to them that sound good but don’t actually require (or provide) any underlying knowledge regarding the network in question’s security posture.
As a result, there is a fair amount of agreement in the community that they aren’t worth the trouble.
Which begs the question “why are we still doing this to ourselves”?
After some thinking and discussion on the topic, it dawned on me that some practitioners view security questionnaires as a hazing ritual to which vendors should be subjected. The below comments on LinkedIn reveal exactly this sentiment.
Name and company redacted as the these details aren’t key to my point.
Oddly enough, these comments reminded me quite a bit of my time at the Naval Academy. Even more so than in the Marine Corps reconnaissance community, where I served after graduating and consider to be far more selective and challenging, this type of attitude was widespread at Annapolis.
Higher-ranking midshipmen in their early twenties, whose only major achievement had been making it through their first or “plebe” year, would force freshmen to do absurd things that had nothing to do with combat readiness, like drinking disgusting mixtures of food and condiments.
Less egregious but potentially even more wasteful was the requirement that most midshipmen regularly conduct full dress parades (the general practice of which I have dedicated much of an entire article to criticizing).
The primary motivation for these behaviors, at least in my experience, was the mere fact that these upperclassmen had to do the same thing when they were just starting out. These tasks had little or nothing to do with improving organizational performance.
Similarly, I have also seen security professionals say things to the effect of “you only get the add items to a security questionnaire if you yourself have answered 500 of them already.” As if the right to ask pointless and asinine questions of someone else was a right that one needs to earn.
There might certainly be some use cases for security questionnaires, but I think they are rare in their commonly-used form. So when you next consider sending a 300-row spreadsheet to a prospective software supplier to fill out, I would ask that you think hard about what your goal is. Are you are trying to improve your security posture? Or are you focused on “run[ning] vendors through the paces?
Thanks for reading Deploying Securely! Subscribe for free to receive new posts.