Written by: Bob Maley

Effective risk reduction cannot and should not be a solo mission. But when vendors get inundated by an avalanche of security requests, that’s exactly what it can feel like.

In an ideal world, handling security requests should be teamwork between companies and vendors. In the real world, it can be an extremely awkward situation where each party does a lot of finger-pointing, and not much constructive collaboration happens. 

At Black Kite, we know how frustrating this type of situation can be. After all, we’re on both sides of this equation – both a user of vendors and a vendor ourselves. 

That’s (part of) why we’ve established a list of quick-hit security and compliance strategies vendors can implement to have more successful long-term relationships with their customers. 

4 key strategies to better manage customer security requests

1. Get involved in early sales conversations

Don’t let security assessments be the last checkbox before a deal closes. Because (as you know) it’s not as simple as checking a box — it is often time-consuming, frustrating, and slows down important decisions. Instead, vendor security teams can collaborate with sales teams to proactively open up security conversations.

To help sales feel equipped for these conversations, vendors can:

• Train their sales organization. It’s important that sales feels well-equipped to talk about security, at least at a high level, if they’re going to bring it up with leads. Guide them with educational sessions, info decks, or even a simple lunch and learn so they can speak to security conversations with a foundation of knowledge. They should know what compliance frameworks you follow or have certifications from, where your Trust Center lives (and what’s inside it), and how to answer basic questions about security, like “Do you use MFA?”
• Frame security as part of the product. Sales teams are naturally focused on selling your product. Emphasize that security processes and protocols are an essential part of your product, and you may see less friction down the line.

2. Guide security conversations with relevant intelligence

Few things are more frustrating than when security conversations happen in a recursive loop. Often, these circular conversations result from a lack of clear information about your risk status and security posture. 

Vendors can get ahead of this by guiding security conversations with evidence of their security postures. Sharing IT security plans, compliance reports, and external security assessments proactively can reduce the number of irrelevant or redundant questions coming your way. At the very least, being prepared this way will help you get through questionnaires quicker.

Vendor teams can lead security conversations best by:

• Bringing reliable, useful, and timely security data to the table
• Focusing on specific risk indicators, like Black Kite’s Ransomware Susceptibility Index®
• Providing context on how you address vulnerabilities and real-world threats
• Being transparent about your internal security practices

Ultimately, it’s about sharing information that demonstrates to the prospect or customer that you take security seriously.

3. Establish a source-of-truth status page

Incidents happen, and when they do, it can be very stressful for your team. What makes it even more stressful is combing through hundreds of emails from customers asking you about a situation that you’re already dealing with.

Vendors need a streamlined way to communicate with customers while focusing on incident remediation. Here’s a nimble approach: Build out a status page.

Vendors know that they have an obligation to share information on incidents when they happen. However, the number one goal during every event is to prevent losses, recover assets, and contain the threat. That means it’s neither productive nor possible to issue post-mortems on incidents while they’re still actively happening. 

A well-maintained and updated status page can go a long way. Instead of directly responding to thousands of customers during an incident, vendors can simply redirect customers to the information they need in a centralized, organized place. 

That frees up time and resources to tackle the most pressing priorities: Containing and remediating the incident.

4. Share critical insights on a trust center

Ultimately, the more proactive vendors can be about their security and compliance status, the smoother security conversations with prospects and customers will go, leading to fewer unnecessary security requests and better collaboration.

Vendors can be clearly and publicly vocal about their dedication to security by building a digital trust center. This centralized resource ideally hosts critical security and privacy documents, ready to download and view with just a few clicks. It can also be a convenient location for artifacts customers typically ask for during assessments and security requests.

A robust trust center should include:

• Materials often requested in assessments (e.g., descriptions of information security processes)
• Summaries of pen tests and audit results
• Public versions of compliance documents (e.g., SOC 2, ISO 27001)
• A display of real-time compliance monitoring for key controls
• Proactive answers to common assessment questions

A centralized hub of resources helps vendors build trust with customers and save time and resources. When security requests come in, vendors can refer to trust centers to determine which inquiries require more in-depth conversations and which can be answered with a quick link. 

Trust: It’s an ongoing conversation

Ultimately, reducing the burnout and frustration caused by customer and prospect security requests comes down to building two-way trust. With proactive strategies, focused conversations, and mutual access to risk information, vendors can instill confidence in their security posture.

Vendors should approach security as an ongoing dialogue. When that mindset permeates beyond the security team, organizations can position themselves as trusted partners rather than potential risks — and make security requests more manageable while they’re at it.

Keep customer trust a top priority with stronger security practices. Avoid these three mistakes when defending against breaches.

For organizations managing third-party risks, collaboration with vendors is at the heart of effective security practices. Our eBook, Chaos to Collaboration: Transforming Third-Party Risk Response for Zero-Day Events, provides actionable insights into how customers and vendors can work more effectively together during critical events. Check it out now to explore collaborative strategies for navigating today’s cyber risk landscape (no download required).

The post The Vendor’s Dilemma: How to Manage Customer Security Requests Without Losing Your Mind appeared first on Black Kite.

Written by: Bob Maley

Imagine your company is evaluated by a potential client, only to discover that the intelligence they rely on is riddled with inaccuracies. That’s exactly what happened to us at Black Kite recently.

We were being evaluated as a vendor by a prospective customer who at the time was using a competing third-party risk management (TPRM) solution. They used that solution to pull a report on Black Kite, but the “intelligence” they shared with us was way off. The report found a lot of assets in our digital footprint that frankly didn’t exist. Because they were adamant they trusted the data, we investigated further. Turns out, those assets were showing up as a result of shadow IT and weren’t really in our environment at all. The fact that their solution failed to provide accurate data while ours did closed the deal.

That’s how important accurate data is in TPRM. You need to know what exactly is happening with your vendors to assess the risk they pose to your business, and you need to be able to share accurate data with your vendors to take action. On many occasions, we’ve seen Black Kite customers share data with their third parties that those third parties wouldn’t have had access to otherwise, down to the asset impacted with step-by-step remediation guidance. This helps vendors address issues faster and more accurately, boosting trust and collaboration.

This is why good data is the key to unlocking vendor engagement for collaborative risk remediation and reduction. It gets their attention because it’s accurate, detailed, and in many cases, completely new to them. 

The More Connected We Are, the More We Need Accurate Data

Companies are more connected than ever, sharing data, processes, tools, and platforms with an expanding network of third parties to operate and grow their businesses. According to one report, 182 vendors connect to the average enterprise’s systems weekly. 

But fast-paced IT growth can lead to increased gaps and vulnerabilities that attackers are looking to exploit. Third-party breaches and other security incidents can significantly harm a company’s ability to maintain operational continuity and safeguard its reputation. So having a third-party risk management program to identify, quantify, prioritize, and mitigate these cybersecurity risks is critical.

However, traditional episodic risk assessments impose a heavy burden on TPRM teams and vendors alike, as they often use manual processes, spending hundreds of hours pulling and analyzing data. It takes most (92% of) companies an average of 31 days to complete a control assessment, while 40% require up to 61 days. Understandably, this dynamic can cause a lot of friction between companies and their vendors. Risk conversations can be challenging and adversarial.

But there’s a better way forward. With the right technology and processes, your company can create a robust, agile risk management program powered by continuous and accurate risk data. 

So, how can your organization leverage accurate data to build these essential relationships?

Use Good Data to Get Your Vendor’s Full Attention

By consistently providing accurate, actionable risk data, companies not only enhance their own security posture but also build trust and cooperation with their vendors, laying the groundwork for a more resilient, collaborative risk management ecosystem.

Here are a few best practices you can adopt to create reliable risk data and share it with partners:

1. Collect comprehensive data:

Engage with a cyber risk intelligence provider to access up-to-date, high-quality risk data, including information about third and fourth+ parties that can be used to make critical business, operational, and security decisions. However, remember that not all risk intelligence vendors are created equal — choose one that offers standards-based ratings to gain a single version of truth.

2. Focus on the right alerts:

When high-profile cyber events occur, it’s crucial to have immediate visibility into which vendors are at risk to notify them to take action. For example, you should know whether they’re affected by a data breach, ransomware, or known exploitable vulnerabilities – as well as the context on how it might affect your business, enabling TPRM teams to separate serious threats from noise. Importantly, this information can be communicated to vendors to guide their response.

3. Create a robust and agile risk assessment program:

Instead of executing episodic assessments that capture static data, you can build a continuous risk assessment program that monitors and improves the company’s risk posture and that of vendors.

4. Dynamically assess the latest risks:

Grade vendors’ cybersecurity postures, identify vulnerabilities, forecast the likelihood of attack patterns such as ransomware impacting them, and calculate the potential financial impact of certain third-party breaches. Then, use these insights to prioritize risks and create a risk response plan.

5. Elevate the ecosystem:

Provide data-backed intelligence on risks to vendors, suppliers, and partners so they can mitigate risks proactively. Build stronger relationships by helping vendors avoid harm to their businesses. Warning a vendor that it’s vulnerable to a ransomware attack can help them make proactive improvements to avoid it, saving them from operational paralysis, customer harm, ransoms, lawsuits, and fines.

6. Work with the best:

Use the data and insights from a risk intelligence provider to rate potential vendors, select the more security-forward partners, and weed out low performers.

Build Trust and Cooperation with Vendors to Improve Engagement

Accurate, reliable risk data is the foundation of effective third-party risk management. It empowers companies to engage their vendors with confidence, enables proactive risk mitigation, and fosters stronger partnerships built on trust and transparency. By leveraging solutions like Black Kite Bridge™, organizations can share precise, actionable intelligence that encourages vendors to take immediate, targeted actions—leading to faster risk reduction and a more secure ecosystem for everyone involved. In fact, early users of Black Kite Bridge™ have experienced more than 200% increase in vendor responses, resulting in considerable reduction in third-party risk.

Looking for step-by-step guidance to elevate your vendor collaboration efforts? Get a before-and-after look at how to transform third-party outreach and collaboration in our interactive ebook Chaos to Collaboration: Transforming Third-Party Risk Response for Zero-Day Events (no download required).

The post How Reliable Risk Data Unlocks Vendor Engagement appeared first on Black Kite.

Written by: Bob Maley, Chief Security Officer

Contributor: Candan Bolukbas, CTO and Founder

In today’s fast-moving tech landscape, companies often face the temptation to prioritize speed over security when developing software. While getting to market quickly might offer a competitive edge for a software company, the long-term risks can be catastrophic—especially when that company becomes a third-party vendor whose products are embedded in other cyber ecosystems. When security is treated as an afterthought, the consequences can ripple across entire supply chains, leaving businesses vulnerable to breaches, ransomware attacks, and data loss. 

For companies relying on third-party vendors, a single security oversight can expose them to significant financial loss, reputational damage, and regulatory penalties. As cyber threats become more sophisticated, the price of neglecting security during product development is far too high for both vendors and their customers.

That’s why, in 2016, when we first built Black Kite as a third-party risk management (TPRM) solution, security was at the very top of our list. As a vendor ourselves, we understood the responsibility that comes with being part of our customers’ cyber ecosystems. We knew that any vulnerability in our own product could become a vulnerability for the companies relying on us to secure their third-party relationships. Our goal wasn’t just to help businesses identify and manage risks in their vendor networks—it was also to ensure that we weren’t contributing to those risks. 

From day one, we designed Black Kite to be as secure as possible, embedding security into every layer of our platform, just like our solution helps companies do with their own vendors.

So when the opportunity to sign the CISA Secure by Design Pledge came around last year, it felt like a natural step for us. The pledge aligns perfectly with the principles we’ve followed since the beginning—building secure software that protects not only our customers but also the broader digital ecosystem. By committing to this initiative, we reinforced our dedication to putting security at the forefront of everything we do. 

Taking the CISA Secure by Design Pledge

Recently, we joined more than 200 tech companies in signing CISA’s Secure by Design Pledge. For Black Kite, signing the pledge wasn’t about making a drastic shift; it was about publicly affirming what we’ve practiced for the past eight years. As a Chief Information Security Officer (CSO) who joined in 2019, I was thrilled to join a company whose product was already well-established, with many proactive security measures in place. 

I recently sat down with co-founder and Chief Technology Officer Candan Bolukbas to discuss how Black Kite’s security-first approach already aligns with the tenets of the pledge, underscoring our commitment to helping businesses protect themselves from third-party risks.

The pledge requires us to meet seven key security goals within the year following signature. That would be daunting for many companies of our size, but it was a no-brainer for me and our leadership team.

For one, the seven goals outlined in the pledge align well with several compliance frameworks we had already embraced at Black Kite, including ISO 27001, SOC 2, and FedRAMP. Moreover, we have already adopted many essential security best practices that map to the pledge, like using MFA and avoiding default passwords in our software. 

While compliance frameworks and pledges like CISA’s are designed to improve security, any CISO worth their salt will tell you that checking the boxes on a compliance audit or pledge does not mean you are fully secure. We’ve always considered it a goal to be one step ahead of the “bad guys” and remain on the cutting edge of defensive and offensive security.

Today, I want to share some foundational principles built into Black Kite and how we have evolved our security practices. Our goal, of course, is not just to tick the boxes on the pledge, but to uphold and demonstrate our commitment to security — for all of our stakeholders, from employees to customers to investors. 

Black Kite’s Secure by Design Roots

One of the most unusual facets of Black Kite’s culture is the security knowledge and expertise in our C-Suite. Our CEO, CTO, CSO (myself), and COO all have backgrounds in security; in fact, our COO is a former CISO himself. 

This isn’t something that every business can replicate. But it’s part of the reason we’ve had such success with building a secure-by-design organization and product. Everyone in the C-Suite has bought into the importance of security from day one.

This has reinforced for me that the culture of security is just as important as the tools, processes, and people who make security happen. 

Let’s face it: The role of CISO is a challenging job. That’s true even when you have access to Fortune 500 resources. For one thing, the security talent shortage continues to plague every industry, meaning that even large companies rarely have sufficient personnel for security. Meanwhile, the threat landscape shifts faster every year — now at an exponential rate, thanks to AI — meaning that CISOs only have to deal with more risk as time passes. And, unfortunately, when a breach happens, whether it was the CISO’s fault or not, they are often scapegoated. 

With this pressure in mind, I always say educating the team about security is 90% of the battle. Fortunately, at Black Kite’s highest levels, I haven’t had to educate; rather, I’ve had partners who support my vision without hesitation. Again, this isn’t a luxury every business has. But it’s key to understand that culture and education lay the foundation for security.

In addition to this culture of security, the founders of Black Kite, as I mentioned earlier, believe deeply in security by design. Our CTO, in particular, brings a background as an “offensive” security practitioner to bear on his vision for Black Kite. Candan served as a network and security administrator and then a security manager for the government of Turkey. He also served as a Certified Ethical Hacker (CEH) for NATO, testing the security posture of many global organizations. 

As a co-founder of Black Kite, Candan has spearheaded the effort to ensure security across our culture, systems, and code. Black Kite’s software has been built with secure-by-design principles from the very beginning. And Candan and the rest of the executive team have been true partners to me, making my job easier because they already fully grasp the importance of what a CISO does.

Before I joined Black Kite (at the seed stage, so very early in the company’s journey), the team had already implemented measures like:

• Information security policies
• Multi-factor authentication
• Implementation of third-party risk monitoring (TPRM)

Candan and the team embraced these practices, not just because they were building a security platform but because they knew first-hand the repercussions of operating insecurely.

Black Kite and the CISA Secure by Design Pledge

As I mentioned, when we were invited to take the CISA Secure by Design Pledge, I had no hesitations. Here are the core aspects of the Secure by Design Pledge and how we implement them at Black Kite today:

1. Multi-Factor Authentication

The CISA pledge asks signers to implement MFA across as much of their environment as possible. At Black Kite, we have implemented and enforced MFA since 2017 via Google Authenticator. We enforce MFA for all federal clients and privileged accounts. Black Kite customers can also enable their personal MFA in conjunction with established MFA. 

Candan implemented MFA early on at Black Kite because of several career experiences. When he worked for the Counter Cyber Terrorism Task Force, he and the red teams there would often employ brute forcing to test defenses. When they found open, remote administrative ports, they would search the dark web for leaked credentials, then use those to gain access and attempt lateral movement.

MFA is a key countermeasure to prevent the success of similar attacks. Attackers need access to at least two different authentication sources to succeed with a brute-force attack. Authenticator tools are an ideal MFA component since their short-lived, one-time codes make it even harder for attackers to succeed with password-based attacks.

2. Default Passwords

Many development and production environments use default passwords. CISA’s pledge requires organizations to minimize the use of default passwords to close off this attack surface. Black Kite does not use default passwords in any development or production environments. All access is based on actual user accounts. 

This means even if a bad actor gained entry to a system, they could not use default passwords to expand their footprint within it. This quickly stops much of the fallout from a successful breach.

3. Reducing Entire Classes of Vulnerability

This pledge component involves improving vulnerability management to reduce risk over time.

Early on, Black Kite adopted the widely-known Patch Tuesday — implementing patches for known vulnerabilities on the second Tuesday of every month. When I joined the team, we expanded our countermeasures to include regular vulnerability scanning using several tools and services. 

In addition, our architecture team is working towards implementing least privilege access across the company and our product. We are also empowering developers to build more securely. We monitor our Jira ticketing system for vulnerabilities, and our metric for measuring reduction is a decline in tickets created.

4. Security Patches

By signing the pledge, organizations agree to work on increasing the use of patches by their customers and users. 

At Black Kite, our customers are responsible for performing systems security patching on their own platforms. To support them, Black Kite performs independent penetration testing on its code, and any identified defects are repaired in development and then released as patches.

5. Vulnerability Disclosure Policy

This part of the pledge requests teams to produce a vulnerability disclosure policy, permit anyone to disclose vulnerabilities without repercussions, provide a channel for reporting them, and allow public disclosure in line with global standards. 

Black Kite practices full disclosure with our customers. If Black Kite were to experience an intrusion, customers would have access to gather evidence. In my experience, this level of maturity is fairly rare for a company of our size and age. 

In addition, we have a Trust center, found at trust.blackkite.com, where anyone can learn more about our commitment to security and request a SOC 2 report or penetration test results. 

6. CVEs

CVEs, or common vulnerabilities and exposures, is a system used to identify and track vulnerabilities in software and systems. The pledge asks signers to demonstrate transparent reporting of vulnerabilities.

Black Kite identifies its own CVEs through independent penetration tests. While Black Kite does not publish its CVEs publicly, we do make our penetration test results available to customers on request.

Additionally, anyone can visit Black Kite’s Trust Center for more detailed security control and process information. Any stakeholder may request our SOC 2 report and proof of compliance with other well-known standards.

7. Evidence of Intrusions 

Finally, the CISA pledge calls on organizations to enable customers to gather evidence of intrusions within their products. At Black Kite, we fully embrace this level of transparency. Should an intrusion occur, we have a clear process in place that allows customers to collect relevant forensic data directly from our systems. This ensures they can take necessary action to protect their own environments.

In addition, Black Kite provides customers with access to detailed logs, incident reports, and audit trails upon request so they can perform their own incident investigations. We believe that empowering our customers with the right tools and information is essential to maintaining trust and ensuring that both parties can respond swiftly and effectively to any potential threats.

Startups and Security Maturity

While working at a startup or scale-up can sometimes be seen as a disadvantage when it comes to security, there are some unique advantages at play these days. For example, many investors now seek evidence of security policies and controls before funding companies. Customers are also increasingly savvy about security, in part due to measures like CISA’s pledge. In other words, there are many incentives today to “do the right thing” regarding security. 

One of the other major advantages that startups and scale-ups have is their ability to build security processes from the ground up rather than retrofitting them into legacy systems. Startups can often move more quickly to adopt new security technologies and practices without being slowed down by outdated infrastructures or bureaucratic hurdles. At Black Kite, we took full advantage of this agility. From day one, security wasn’t just something we added on after our product matured—it was a core part of our design and architecture.

As a third-party vulnerability management platform, Black Kite’s customers naturally request to see proof of our own security posture. We make this available through our Trust Center, where customers can access critical resources, including our SOC 2 Type II report, ISO 27001:2022 certificate, and a summary of penetration tests. Additionally, our platform leverages trusted subprocessors like Google Cloud to ensure the highest levels of data protection.

Black Kite’s Trust Center also showcases our extensive security controls, including encryption, access restrictions, and disaster recovery plans, all of which are updated regularly to reflect our ongoing commitment to secure operations. This transparency allows our customers to verify our security posture and gives them confidence that we’ve built our platform with secure-by-design principles from the very beginning.

As a CISO, I feel fortunate to be part of a scale-up business that takes security seriously. While signing the CISA pledge is neither the beginning nor the end of our security efforts, it’s an important way to join forces with other organizations and demonstrate our shared commitment to security.

Visit our Trust Center to learn more about our security practices, access compliance certifications like SOC 2 and ISO 27001, and review key resources like our Pentest Summary and Information Security Policy. You can also explore our security controls and infrastructure details or request access to additional documentation of our commitment to transparency and secure-by-design principles.

The post Built to Protect: The Importance of Security by Design in TPRM appeared first on Black Kite.