Organizations are increasingly furthering their goals through reliance on suppliers conducting critical work. In support of this, information security departments routinely conduct security assessments of those suppliers in order help minimize risk in their supply chains. These assessments usually consist of some combination of questionnaires, onsite observations, testing, and interviews. Unfortunately, such assessment routines tend to reveal superficial (or overly obvious) issues with the suppliers. However, what decision makers really need to know is whether the supplier will handle the information entrusted to them with care. Amongst other things, what managers and executives want to know is if they have had problems doing this in the past, and what are the odds of them making mistakes in the future? This article will provide a technique to help better inform management and to make better information security decisions about vendor and supplier choices.
Difficulties in Supplier Assessments
The fundamental problem in assessing the information security posture of a supplier is embodied in the economic concept of asymmetric information; a central aspect of game theory and a fitting construct for this assessment of the supplier management process. Put simply, your vendor will always know more about the state of their security than you will. In order to increase your ability to make a better sourcing decision, you need to gather and analyze information about the supplier. Nevertheless, we fall deeper into the asymmetric problem once again, because the most popular tool to assess suppliers is a questionnaire. Many have adopted the Standard Information Gathering (SIG) questionnaire originally developed by the Shared Assessments Program . The SIG is a very capable tool for understanding the information security control environment of a supplier and, according to the Shared Assessments Program, it helps service providers avoid having to answer unique questions by every customer, and can even negate the need to have a customer conduct any onsite assessments (Holt & Mcdonald, 2011). Therein lies the problem. Relying on tools like the SIG (as good as it is), necessarily means that you are outsourcing your supplier security to someone else. In the case of a survey instrument like a questionnaire, you are outsourcing not only your business to this vendor, but your evaluation of their security as well! According to one Chief Privacy Officer of a Fortune 100 financial services company: you cannot make your vendors your insurers.
This over-dependence on the completion of the supplier security questionnaires can be categorized as nothing short of misplaced trust. It is easy enough for the responder to identify the “correct” answers and as long as the assessing organizations never insist upon or look for evidence of conformance, it will never be challenged. If the organization or one of its trusted employees intends deliberate malicious action (admittedly rare), they are in complete control of the means by which to conduct it. The authors have heard this process jokingly referred to as “companies lying to one another.” Despite this, the same organizations that may recognize this deficiency are just as reticent to respond more truthfully about their own information security and would be inclined to provide stock answers that are legally defensible.
Review of the Reid Technique
It is important to note that the application of the Reid Technique in any capacity should only be done by people that have been trained in its methods by qualified Reid instructors. There are a lot of nuances to its application that require intense instruction, and are not in scope for this article. The intent of this treatment is to provide an introduction to those that are unfamiliar and to illustrate some of the benefits of its application.
Organizations looking to mature their supplier assessment programs should look to law enforcement for guidance on how to assess truthfulness during supplier assessments. The Reid Technique is a popular and widely used approach to interviews and interrogations of suspects by police departments, corporate security, human resources, and fraud investigations (Inbau, Reid, Buckley, & Jayne, 2011, 2013). It is praised for its ability to aid in assessing truthfulness during interviews conducted in person or over the phone, and then to convince guilty suspects into confessing their crimes. The assessment method is broken into two phases, namely interview and interrogation. The purpose of the interview is to probe for areas of untruthfulness and to uncover information that can later be used in a “theme,” a term used by Reid practitioners to describe a narrative that describes why the suspect committed the crime. These themes are typically meant to appear sympathetic to the suspect, justify their behavior, and assuage their guilt. As an example, assume that during an interview it was uncovered that the employee had been missing a lot of work to care for their sick grandmother. This information could be woven into a narrative that is delivered during the interrogation phase (“You took the money to care for your sick grandmother.”). Note that it is not necessary for the narrative to be truthful – the interviewer will not care if the employee really did or did not use the money to care for the grandmother, all that is at issue is if the suspect took the money.
The interrogation phase, as one might expect, has a harsher tone and begins with the declaration that the suspect is indeed guilty and the only thing left to determine is the “why.” It is at this point that the aforementioned themes are applied, but typically only two choices are offered: one that has some moral redemption (You stole the money to help your grandmother) and the other a dismissive option that is meant to represent that the suspect has no morally redeeming characteristics and is beyond hope (and implied legal leniency). Many Reid experts boast written confession rates well into the 90th percentile.
What is unique about the Reid technique is its application of the above process along with looking for verbal and nonverbal cues about the suspect’s guilt. All of which is guided by a unique set of questions; the foreknowledge of which does virtually nothing to prepare one for answering truthfully. Most of these questions are designed to provoke the suspect into revealing guilt. For example, one interview question involves asking whether whoever did actually commit the crime deserves a second chance. Often those that are guilty tend to get tongue-tied and reveal that some level of leniency should be offered if the perpetrator was really sorry for the offence. It is not a single answer or nonverbal response that is an indicator of guilt in Reid; it is the cumulative assessment of the interview. For instance, one with a very high religious devotion may offer leniency to anyone in all cases. Further, this approach to gaining confessions does have some limitations as children and other individuals who are highly suggestible will often confess to acts they did not commit in order to appease the interviewer (Meyer, Reppucci, 2007). These concerns are well documented and there are alternative approaches to mitigate these issues.
Applying Reid to Supplier Assessments
The authors have been utilizing this approach to conduct supplier assessment interviews for about three years and have practiced this during approximately 40 different supplier assessments. This includes companies varying in size from small businesses and startups to the Fortune 100. This application of Reid has been modified from its original approach to accommodate usage by security professionals while assessing suppliers. This was inspired in part by the work of Copes, Vieraitis, & Jochum (2007) when one author was researching ways to apply Reid to online fraud scenarios perpetrated by business partners. To be clear, there is no application of the interrogation techniques in review of suppliers; one would hardly countenance such a business relationship. However, the use of Reid to build themes to aide in the assessment of supplier deception as they answer questions about the state of their security can help reduce the asymmetric knowledge of control states, and lead to better supplier decision making by management (Porter, ten Brinke, 2010).
The following assumptions apply to those using Reid in their supplier assessments:
1. You are not conducting significant evidence collection or assessments of the strength of the supplier’s controls. If you are, then this process will work even better, but mostly this approach is designed to assist in scenarios where little independent validation is conducted.
2. You do not have a significant amount of time to review all the suppliers in your portfolio and need to prioritize resources
These assumptions are important to describing why this approach is helpful. As many organizations increase their supplier usage, it falls on the security department to conduct more reviews often with less people. This approach is designed to aid in prioritizing investigation efforts to only those suppliers that exhibit a high degree of risk and untrustworthiness.
Framework for Assessing Truthfulness in Supplier Security Reviews
Much like its application in law enforcement, the goal of a supplier review using Reid is to close the asymmetric knowledge gap. The overall process for conducting supplier interviews using Reid is as follows:
1. Information Gathering
2. Controls Review
3. Theme Development
4. Interview
5. Documentation
The first step in the process is to gather as much information about the supplier engagement as possible. What this includes will vary significantly depending on the organization and engagement. In some cases there will be detailed technical design documents, while in others there will be nothing more than a loose business case. It is vitally important in all cases, however, to develop at least a high-level understanding of the data flows from the host organization to the supplier.
After understanding the context of the supplier engagement, the next step is to conduct the controls evaluation. There is no need to develop special tools for this—it is sufficient to leverage whatever existing questionnaire is currently being used by your organization. In the end, there does need to be some base evaluation of the control posture of the supplier. At the very least, the supplier’s answers will give you something to work with as you move into the next phase of the process. If, however, you have the opportunity to conduct your own evaluations (onsite review, penetration testing, scanning, inventorying, etc.), then you will have an increased amount of veracity around the control posture claims by the supplier.
The next phase is to develop a theme or narrative that explains the supplier engagement and encompasses some subset of controls that will represent a critical control set for this engagement. Some sample themes are included here (note: see original for table)
Once there is a computing “theme” to be used as a guide for further inquiry, the next step is to begin to interview the supplier to gain additional information about their control state. Too often, the supplier risk assessors are overly concerned with appearing impertinent with their inquiries. This is understandable as security and controls are a sensitive topic for discussion. However, these engagements should be conducted in a cordial, yet not overly friendly manner. It is important to remember that this is a business engagement. One question the authors make frequent use of is to ask specifically if they have ever had any data breach incidents. While it may be bold, it is precisely the question to which decision makers want to know the answer.
The topics for discussion (either over the phone or in person) will vary and should cover security controls. The Reid interview questions should be worked into the discussion to gain additional insight into the veracity and truthfulness of the supplier. These questions are based on the Reid technique, but modified to be more applicable to IT inquiries. The nature of these questions is such that they are designed to elicit responses from the interviewee that can give subtle indications to the interviewer. This includes things like guilty verbal and nonverbal responses. It is important while conducting these interviews, to pay attention to your own nonverbals in order to invite trust and honesty. This includes dressing like a professional (business attire), non-threatening seating (do not sit across from interviewee), and maintaining an open posture. When conducting these interviews over the phone, it is doubly important to listen for indicators and to verbally reinforce a professional, non-threatening demeanor. It is also important to note that the goal of the interview is not solely to uncover deceptiveness. Properly implemented, these techniques can be highly useful in confirming truthfulness.
With this in mind, here are some Reid-based supplier interview questions. Note that it is not necessary to use all these questions in the interview nor will it be possible to work all questions into the conversation organically. Additionally, after completion of the Reid training, you may develop questions that are a more complete fit for your organizations posture and goals (note: see original for table)
Assessing Risk Associated with Supplier Truthfulness
There are various models for assessing risk, but for those that enable that ability to model threats and their relationship to controls (such as FAIR), there are several areas where the results of the above questions can contribute to a supplier risk assessment model (“Risk Taxonomy Technical Standard,” 2009).
Frequency/Probability of attack
Information about malicious activity and management commitment can give insight into frequency of attacks. For instance, if you sense that there is a malicious element that exists in the organization, then you can increase you estimates of how often you will experience those kinds of attacks. Further, management’s commitment to the security program can indicate whether or not there is going to be an increased amount of external attacks.
Capability of attackers
Through the totality of your assessment, you will have the chance to assess how capable the technology and staff at the supplier will be were they to stage an attack against your organization or its data. The authors routinely ask suppliers how often their people go rogue and conduct malicious activity.
Control Strength
There are many examples of places where the control posture of the supplier can be accessed. It is important to make a distinction however about where the attack originates. In most scenarios, you will not be notified about an attack by the supplier until after they have already concluded their investigations. However, the interview questions will give you a sense of the state of the controls in comparison to industry best practices.
Results
Due to ethical and legal obligations, the authors will not be sharing details of any assessment activity that included Reid questions. However, the authors have prepared the following sanitized narratives to illustrate some of the benefits of including Reid questions in the supplier review process. As mentioned above, most supplier reviews include on average one to three Reid questions. Each of the scenarios below is designed to provide some insight into the kind of additional information that using Reid can garner from a regular supplier interview. These narratives may hint that there is often drama in the interview process when Reid is utilized, however it’s worth noting that the vast majority of interviews resulted in the confirmation of a supplier’s truthfulness and little in the way of drama.
Cloud Provider
During this engagement, a considerable effort was underway to migrate an internal customer relationship application to an external cloud service provider. The business had narrowed their selections down to two potential providers (both very well known) and it was at this point that the security team was brought in to conduct their assessment. It was established that there were two key controls that formed the theme for the interview: 1) Key management, and 2) Controls that provided oversight of the cloud provider’s internal privileged employees (access management). One supplier indicated that they used a key escrow service to control their internal employee’s access to sensitive data and systems. However, upon further inquiry it was determined that access to the key management system itself was largely unmonitored. This allowed the introduction of a Reid line of questioning about how often their internal employees misuse privileged access that is granted them. Now, with the benefit of hindsight and not being engaged in a stressful exchange with a potential client, we can easily conclude that the “correct” answer would be something about the company not discussing security incidents yet dutifully notifying effected customers. However, the cloud provider responded with a stutter, a pause, and then blurted out, “never.” Without pausing, it was followed up with the Punishment question: “Bob, what should my firm do if you have an incident because you haven’t fixed this?” At this point, Bob (not their real name) paused, and then indicated they will close this gap and the conversation turned to remediation efforts and timelines for completion.
Healthcare Company
One routine supplier review utilized some nonverbal Reid techniques involving non-traditional seating (we did not sit across from the interviewee, choosing instead to sit next to them, while facing them with an open body posture). For most people, this is not a socially comfortable arrangement—we tend to prefer something between us, such as a table, and as a result, the interviewee closed their body posture (crossed their leg in front of them, and used their arms to pull on their leg). The security review continued routinely until the subject of risk assessments was reached. It became clear that their rating method deprioritized systems that we would have considered high risk (and justified commensurate control levels). The interviewee maintained that this was the correct rating; however, there was concern that the firm’s data would not be adequately protected. It is worth noting that during this line of questioning the interviewee changed their posture several times and began sweating profusely. At this point, a Reid question helped to expose the issue, “Bob, what is the primary driver for this rating? Is it another customer you have, or some security standard you are trying to comply with?” Bob (again not their real name) then revealed that they had a significant government client that required them to comply with a specific security standard. In so doing, they had to identify systems that could contribute to loss of life and that these were the only systems they could rate as high risk. What this revealed as a result was that they had replaced their own risk tolerance with that of their client, and further that it was misaligned with our own.
Conclusion
You will always know less about the state of your supplier’s controls, security, and incidents than they will. Your job as a supplier security assessor is to work to close the gap on this asymmetric knowledge. While questionnaires are a good tool for cataloging and inventorying controls, it is important to use other tools to gain a better sense of the degree to which key controls are being implement, maintained, and supported. Utilizing the Reid Technique methods and the modified questions presented by the authors can give the assessor better insight into the supplier, and ultimately provide decision makers with the information they need to make a better supplier decision. It is also the recommendation of the authors that anyone interested in effectively utilizing the techniques put forth in this article complete the Reid Interview and Interrogation training course.
References
Copes, H., Vieraitis, L., and Jochum, J.M. (2007). Bridging the gap between research and practice: How neutralization theory can inform Reid interrogations of identity thieves. Journal of Criminal Justice Education, 18(3), 444-459.
Holt, E., & McDonald, C. (2011). Shared Assessments Roundtable. Retrieved from http://sharedassessments.org/media/Holt-Roundtable-CaseStudy-Day1.pdf
Inbau, F., Reid, J., Buckley, J., and Jayne, B. (2011). Criminal Interrogation and Confessions. 5th ed. Jones & Bartlett Learning: Burlington, MA.
Inbau, F., Reid, J., Buckley, J., and Jayne, B. (2013). Essentials of the Reid Technique. 2nd ed. Jones & Bartlett Learning: Burlington, MA.
Meyer, J.R., Reppucci, N.D. (2007). Police practices and perceptions regarding juvenile interrogation and interrogative suggestibility. Behavioral Sciences and the Law, 25(6), 757-780.
Risk Taxonomy Technical Standard. (2009). Retrieved from http://pubs.opengroup.org/onlinepubs/9699919899/toc.pdf
Note: This article was originally published in the ISSA Journal in October 2013. The copyright reverts back to me this month so I published it here. If you are interested in seeing the original, you can view it here.
The Risk Dr ® 