Barely Half of Organisations Require Suppliers and Partners to Pass Security Audits
Here’s an article from the folks over at Tripwire that report based on a survey that only about 53% of organizations require their suppliers and partners to pass security audits. Based on the organizations I’ve worked with, here are some possible reasons I think why this may be:
- Security is a cost center: It’s difficult to objectively demonstrate ROI on security spend, and so most organizations I see spend little to no budget on security, which includes ensuring that their vendors are also meeting some level of security
- Most organization’s don’t know what to ask: Unless you’re working on security everyday, it’s hard to keep up and know exactly what to ask. I have to imagine to avoid looking “stupid” organizations just avoid the topic altogether.
- Security takes time: Most of the time organization’s are under some incredible deadline, and so pulling off to the side of the road to ensure that their supplies and partners are secure is going to add delay that they probably can’t afford to take. Security gets swept under the rug or just lost in the commotion.