The Vendor’s Dilemma: How to Manage Customer Security Requests Without Losing Your Mind

Written by: Bob Maley

Effective risk reduction cannot and should not be a solo mission. But when vendors get inundated by an avalanche of security requests, that’s exactly what it can feel like.

In an ideal world, handling security requests should be teamwork between companies and vendors. In the real world, it can be an extremely awkward situation where each party does a lot of finger-pointing, and not much constructive collaboration happens. 

At Black Kite, we know how frustrating this type of situation can be. After all, we’re on both sides of this equation – both a user of vendors and a vendor ourselves. 

That’s (part of) why we’ve established a list of quick-hit security and compliance strategies vendors can implement to have more successful long-term relationships with their customers. 

4 key strategies to better manage customer security requests

1. Get involved in early sales conversations

Don’t let security assessments be the last checkbox before a deal closes. Because (as you know) it’s not as simple as checking a box — it is often time-consuming, frustrating, and slows down important decisions. Instead, vendor security teams can collaborate with sales teams to proactively open up security conversations.

To help sales feel equipped for these conversations, vendors can:

• Train their sales organization. It’s important that sales feels well-equipped to talk about security, at least at a high level, if they’re going to bring it up with leads. Guide them with educational sessions, info decks, or even a simple lunch and learn so they can speak to security conversations with a foundation of knowledge. They should know what compliance frameworks you follow or have certifications from, where your Trust Center lives (and what’s inside it), and how to answer basic questions about security, like “Do you use MFA?”
• Frame security as part of the product. Sales teams are naturally focused on selling your product. Emphasize that security processes and protocols are an essential part of your product, and you may see less friction down the line.

2. Guide security conversations with relevant intelligence

Few things are more frustrating than when security conversations happen in a recursive loop. Often, these circular conversations result from a lack of clear information about your risk status and security posture. 

Vendors can get ahead of this by guiding security conversations with evidence of their security postures. Sharing IT security plans, compliance reports, and external security assessments proactively can reduce the number of irrelevant or redundant questions coming your way. At the very least, being prepared this way will help you get through questionnaires quicker.

Vendor teams can lead security conversations best by:

• Bringing reliable, useful, and timely security data to the table
• Focusing on specific risk indicators, like Black Kite’s Ransomware Susceptibility Index®
• Providing context on how you address vulnerabilities and real-world threats
• Being transparent about your internal security practices

Ultimately, it’s about sharing information that demonstrates to the prospect or customer that you take security seriously.

3. Establish a source-of-truth status page

Incidents happen, and when they do, it can be very stressful for your team. What makes it even more stressful is combing through hundreds of emails from customers asking you about a situation that you’re already dealing with.

Vendors need a streamlined way to communicate with customers while focusing on incident remediation. Here’s a nimble approach: Build out a status page.

Vendors know that they have an obligation to share information on incidents when they happen. However, the number one goal during every event is to prevent losses, recover assets, and contain the threat. That means it’s neither productive nor possible to issue post-mortems on incidents while they’re still actively happening. 

A well-maintained and updated status page can go a long way. Instead of directly responding to thousands of customers during an incident, vendors can simply redirect customers to the information they need in a centralized, organized place. 

That frees up time and resources to tackle the most pressing priorities: Containing and remediating the incident.

4. Share critical insights on a trust center

Ultimately, the more proactive vendors can be about their security and compliance status, the smoother security conversations with prospects and customers will go, leading to fewer unnecessary security requests and better collaboration.

Vendors can be clearly and publicly vocal about their dedication to security by building a digital trust center. This centralized resource ideally hosts critical security and privacy documents, ready to download and view with just a few clicks. It can also be a convenient location for artifacts customers typically ask for during assessments and security requests.

A robust trust center should include:

• Materials often requested in assessments (e.g., descriptions of information security processes)
• Summaries of pen tests and audit results
• Public versions of compliance documents (e.g., SOC 2, ISO 27001)
• A display of real-time compliance monitoring for key controls
• Proactive answers to common assessment questions

A centralized hub of resources helps vendors build trust with customers and save time and resources. When security requests come in, vendors can refer to trust centers to determine which inquiries require more in-depth conversations and which can be answered with a quick link. 

Trust: It’s an ongoing conversation

Ultimately, reducing the burnout and frustration caused by customer and prospect security requests comes down to building two-way trust. With proactive strategies, focused conversations, and mutual access to risk information, vendors can instill confidence in their security posture.

Vendors should approach security as an ongoing dialogue. When that mindset permeates beyond the security team, organizations can position themselves as trusted partners rather than potential risks — and make security requests more manageable while they’re at it.

Keep customer trust a top priority with stronger security practices. Avoid these three mistakes when defending against breaches.

For organizations managing third-party risks, collaboration with vendors is at the heart of effective security practices. Our eBook, Chaos to Collaboration: Transforming Third-Party Risk Response for Zero-Day Events, provides actionable insights into how customers and vendors can work more effectively together during critical events. Check it out now to explore collaborative strategies for navigating today’s cyber risk landscape (no download required).