Recently I was assigned to a special project to be the information risk management representative for a payment card processing provider RFP.
One of the vendors was an organization based out of a prominent US city with loads of financial institutions. I will refer to this vendor as N; of which one of their subsidiaries – referred to a n – is the actual business unit that provides the actual card processing services. So, for practical purposes – n does the real work; but N is responsible for the big RFP responses and on-site sales pitches. For blog purposes, I will refer to the combined entity as Nn – sort of like me and mini-me…bad attempt at humor – but you get my point.
As to be expected Nn showed up in force. Color coded apparel, great shoes, smiles, and the type of financial savviness one would expect from a reputable financial services provider. I was pretty impressed and to be honest, a show in force like this is what I expect given the size of the company I work for and the attention PCI-DSS commands. After the typical hand-shaking niceties and genuine attempts to find commonality between each other – the love fest started.
About 90 minutes into vendor Nn’s presentation, I asked some of my basic due diligence questions. Now keep in mind from previous posts, that I consider information risk management professionals to be intelligence analysts – always gathering intelligence about threats, attack vectors, etc. For a vendor not to think that potential clients are not checking up on them is mind-boggling – but more on that later.
One of my typical questions for any vendor that I assess for risk is: “How does your information security organization manage information security risk?” It is a fair question from my perspective and acceptable answers can be very simple or very complex. I prefer simple but complex is OK as long as they answer it and try not to dodge the question. In this case, vendor Nn answered the question sufficiently. But I still had some reservations regarding the big N and the little n. So, the follow-up question was this:
“In 200X your company (N) suffered a security breach. What has company N done to ensure the same vulnerability does not exist or cannot be exploited moving forward within company N and its subsidiary n?”
Well my friends (a McCain’ism), the love fest came to a halt right then and there.
The talking stopped!
The deer in the head lights look overcame the faces of the team representing Nn.
Nervous glances started being cast.
The Nn sales team lead responded with the following: “What breach?”
My response: “The breach in 200X that shows up in a simple Google search phrase “Nn security breach PCI”.
Nn sales team lead response: “I am not aware of that!”
My response: “We would like a formal statement regarding the security breach, the business unit impacted, and what has been done to prevent a repeat occurrence within the impacted business unit and any other business units owned by N.”
Nn sales team lead response: “Let us follow-up with you!”
My response: “Thank you!”
At this point, the Nn sales team broke out their Blackberry arsenal. And over the next 60 minutes there was more Blackberry thumbing then I have ever witnessed in a 60 minute period. The love fest had migrated to the sales team, their Blackberries, and other entities miles away; though deep down inside I would not be surprised if there were one or two messages between the Nn sales team to each other talking about the new A-hole they just stumbled upon.
Two hours later…during a break… (the love had still not returned to its original levels…)
Nn sales team member X: “I am sorry we could not speak to your question earlier today.”
My response: “That’s OK. I appreciate any follow-up responses you can provide.”
Nn sales team member X: “Well, we really did not know about this security breach, but our legal and PR departments will prepare a response. We really did not know about this.”
My response: “Thank you, we look forward to receiving it! You know, there is a neat Google service that let’s you set up email alerts based on keywords you define. I use it all the time to keep tabs on my company as well other companies. It is a great sales information tool.”
Nn sales team member X: “Thanks I will look into that!”
A few hours later, and some more Blackberry thumbing, the Nn sales team left. Only half of the team bothered saying bye to me and shaking my hand. I cannot blame them – I understand the frustration. In a previous consulting role (that included sales engineer responsibilities) – I saw my share of blown sales pitches and uncomfortable situations.
So here are a few thoughts:
1. Companies that experience security breaches – of which the acknowledgment that it occurred is public – need to educate their sales team / marketing folks (the entire company it can be argued) that their reputation matters and that they could face tough questions. To not think that other financial services companies or companies looking to use their card payment services will not ask them about recent breaches is ludicrous.
2. The fact that Nn recently suffered a breach but could not speak to it right then and there does NOT disqualify them from further consideration. It is important to point this out and underscores the importance of being objective and looking at all aspects of one’s security posture. In addition, this underscores the power of taking a risk-based approach to assessing risk.
3. Ever heard the term “hate the sin, not the sinner”. It is somewhat applicable here. I honestly believe the Nn sales team did not know about the breach. A simple Linked-In search on the Nn sales team (at least three of them) confirms they were with Nn at the time of the breach – but that does not mean they had privileged knowledge of it.
4. Don’t be afraid to be the friction point – by asking tough questions. Tough questions can be asked – but asking with a sense of humility and tact goes a long way. The reality is that sometimes, tough questions cannot be asked unless you are direct and to the point. A lot of us are getting paid good money to perform an appropriate level of due diligence – let’s earn it.
5. At the end of the day, there are a few things the Nn might say they learned from their trip:
- A-hole’s company cares about security.
- We need to be better prepared to know about security in our company and how to speak to past incidents.
- Just because we are PCI compliant does not make our sales efforts easy.
- We need to stop at the airport bar before the flight takes off.
So there you have it. Another day, another dollar – I love my job.