Security news that informs and inspires
A person is asking questions about the supplier's metrics and operations

Manage Third-Party Suppliers with Personality Tests

Call it junk science or evidence-based research, but personality tests are popular because people can use the answers to figure out how to interact with others. Many managers use personality profiles in hiring and professional development. Perhaps organizations can use similar concepts to manage their relationships with their suppliers and vendors.

“Do third-party vendors have personalities? And if they did, would that affect how we manage them?” John Elliott, a data protection officer at a large European airline, said at the recent RSA Conference.

The idea of a vendor having a personality sounds preposterous, but if an organization can have a culture, then it makes sense that it can exhibit traits associated with personality. Organizations already spend a lot of time during vendor selection to understand the supplier’s operations and to verify it meets compliance requirements. Looking at vendor behavior can help organizations figure out which suppliers are most likely to lose data, and how to minimize that risk, Elliott said.

The organization can craft a more effective information security and privacy assurance program that takes in to account each supplier’s personality profile.

There are many tests that claim to analyze personality and organize people around specific traits, and the most well-known in the professional setting is the Myers-Briggs Type Indicator (MBTI). Developed by researchers Katharine Cook Briggs and Isabel Briggs Myers and based on psychologist Carl Jung’s theories, MBTI uses four dichotomies--introvert vs extrovert, intuitive vs sensory, thinking vs feeling, and judging vs perceiving--to divide people into 16 different types. Elliott noted that his MBTI profile, ENTP, indicates that he is “not awesome” at following through with detailed plans or responding well to authority, but that he excels at inventing things and original thinking. He can tailor his interactions with his teams to play to his strengths, but also pay attention to areas that need extra support.

“Vendor personality can determine the effort needed’ to manage the relationship, Elliott said.

John Elliott, data protection officer at a large European airline, speaks at RSA Conference 2018

John Elliott, data protection officer at a large European airline, suggests at RSA Conference 2018 that using "personality tests" to understand third-party vendors can be an effective way to manage the vendor relationship.

Elliott aligned supplier personalities across three axes: knowledge, ability, and intent. Each axis had a positive or negative aspect, resulting in eight different personality profiles. The vendor could be knowledgeable or ignorant, be able to execute or unable to execute, and intend to execute (positive) or not intend to execute (negative).

A supplier who was knowledgeable, was able to execute, and had positive intent to execute was a “dream supplier,” or KAP. On the other end of the scale, a supplier who wasn’t knowledgeable (ignorant), was unable to execute, and had negative intent to execute was a “Freddie Kruger,” or IUN, Elliott said.

KAN is a Deciever, as it knows a lot about the issues and what needs to be done, has the resources to complete the work, but has no intent to do the work. A Deciever knows it should be patching the systems, but aren’t. Contrast that with IAN, or a Bureaucrat, who keeps asking questions because it doesn’t know what to do. It has the resources and is able to do the work, but isn’t going to put in the time and effort to do so, despite asking for many clarifications and information.

KUPs, or Frustrators, know about the threats, are unable to perform the tasks, but would like to if they could. They have traits in common with the IUP, or Puppies, because they also want to do the right thing. IUPs don’t know a lot about the issues and have limited ability to execute, but are eager to get things done.

KUNs, the Theorists, know what to do, are unable to do it, but also don’t plan to. “They will be happy to tell you how well they would do it if they could,” Elliott said.

As for the IAPs, the Dunning Krugers, Elliott called them the “the most dangerous supplier.” They don’t have the knowledge, but they have the abilities and want to get the work done. “They do the wrong things very well,” Elliott said.

Vendor personality can determine the effort needed to manage the relationship

Everyone wants to work with a KAN supplier, but that isn’t always possible. Knowing the profile can inform the organization how hands-on to be with the vendor, and even determine what kind of follow-ups would be necessary. If a supplier turns out to be an IAP, for example, the organization will have to be proactive about providing the correct information and regularly follow-up to keep the supplier on track.

Elliott broke down a typical vendor relationship as having four components: documented advice and assistance, operational readiness targets, operational readiness assessment, and ongoing assessments. The different profiles means organizations handle the components differently.

The K suppliers, the ones who have the knowledge about information security and privacy requirements and understand the threats, are capable of documenting their processes and providing information as needed. The organization can provide a high-level description for the supplier to figure out its targets and can rely on vendor self-assessments to determine operational readiness. Ongoing assessments can be by phone. On the other hand, the I suppliers don’t have that level of knowledge and would require extensive hand-holding and repeated follow-ups. Both the operational readiness assessment and ongoing assessments would likely need to be onsite to make sure the suppliers aren’t making mistakes due to gaps in their knowledge.

The same goes for the A suppliers, since they are able to execute, the organization doesn’t have to worry about operational readiness, and can have the vendor self-report for operational readiness and ongoing assessments. The U suppliers are unable to execute, for whatever reason, and would need a more hands-on approach, such as detailed target information, onsite operational readiness assessments, and ongoing phone assessments.

The P suppliers intend to execute, so again, the organization can rely on the vendor to self-report what it is doing. The N suppliers, the ones who don’t intend to execute, will require more vigilance, with onesite operational readiness assessments and continuous monitoring to make sure they are doing what they should be doing.

Not paying attention to areas where the supplier is weak increases the risk to the organization, Elliott said.

John Elliott's slide from RSA Conference on the Vendor Personality Type.

John Elliott lists the eight different vendor personality types on his RSA Conference 2018 slide presentation.

Figuring out a supplier’s personality requires a little bit of due diligence. There are several startups that try to quantify vendor risk. SecurityScorecard predicts and remediates potential security risks across organizations and their partners. BitSight Technologies rates companies’ security effectiveness on a daily basis using a data-driven approach.

And then there’s the tried-and-tested way of filling out a personality test. Don’t ask the vendors a list of specific questions and have them self-identify their personality. People tend to give themselves scores 30 to 50 percent higher than what an outsider assessor would, and that would be the case in this scenario. A question about patching would be answered “yes” regardless of whether the vendor has a mature patch management process or if there is an overworked IT admin that applies patches three months at a time.

“If you have been doing this for a long time you can often sense this [personality],” Elliott said.

A supplier personality test focuses on asking open-ended questions that don’t have an easy yes/no answer. Make the vendors think about the answers and demonstrate their knowledge, abilities, and intent. Insist the security team or the IT team complete the test instead of the sales team. While it is possible to do this as an interview, Elliott recommends having the answers in writing.

The ideal responses are detailed sentences and not just single words.

“If the executive has to sign his name at the end of the document with his answers, the vendor will think twice about making grand promises or misrepresenting the environment,” Elliott said.

The questions can be tailored to suit the organization, but here are some of the questions Elliott recommended including on the personality test.

  1. What do you see as the the top three cyber threats to your business?
  2. How do you gain short-, mid-, and long-term threat intelligence?
  3. What formal and informal information sharing networks are you members of?
  4. How many days of professional resources have been used in penetration testing and “red team” tests or other similar assurance exercises in the past 12 months? What do you plan to do differently next year?
  5. How many people have more than 50 percent of their roles allocated to cyber/information security responsibilities? Do you think this is enough?
  6. How many person-days have you estimated would it take a malicious external attacker to breach your defenses and gain privileged access to critical systems? How quickly would you detect this type of intrusion into your network? How many intrusions have you detected in the past 12 months?
  7. What are the RPO, RQO, and RTO for the systems that support the service you provide to us? When you last did a test, what RPO, RQO, and RTO did you achieve?
  8. Have your formally appointed a Data Protection Officer? Who is it? What are the qualifications?
  9. What processes do you have in place to respond to Data Subjects who request their data in accordance with GDPR Article 15?
  10. How will you detect a “personal data” breach?

Some of these questions are designed to force “deceitful declarations,” or “fib,” Elliott said. The RPO, RQO, and RTO example illustrates this--RPO refers to recovery point objective and RTO is recovery time objective. RQO is something Elliott made up. Ideally the vendor will ask for clarification on what RQO is, but if the vendor tries to give an answer to RQO, then that indicates the vendor may have gaps in its knowledge.

The ideal responses are detailed sentences and not just single words. Too long answers for each question may indicate high knowledge but low level of ability, depending on how it is answered. The threat intelligence question should provide information about who the supplier works with and how it is used. If the supplier responds to multiple questions with boilerplate language or repeatedly references a specific framework or standard, those are also signs the vendor may not know the answers or is hiding its abilities. The question about assurance exercises can tell you a lot about the supplier’s knowledge level, since answers like not having the exercises because they have faith in their processes and controls should be concerning. Answers like “no breaches” or “30 minutes to detect a breach” about breach detection can reveal a lot about the supplier’s culture.

Try this exercise with existing suppliers to figure out whether the profile results match with the amount of time and effort currently being spent. That will help fine-tune the personality profile model and questionnaire to fit the organization’s needs. If the organization doesn’t use operational readiness targets for supplier assurance, for example, then it doesn’t need to be in the model.

“Beware of suppliers whose answers make them sound like KAN,” Elliott said. Validate the answers to see if the supplier contradicts itself in the test, and see if the answers support that level of high confidence.