A supplier cyber assessment to procure a potted plant

Industry figures call out ineffective and resource-heavy buyer security questionnaires

The questionnaires that are sent out by companies to assess the cyber security posture of suppliers have been roundly criticised by industry figures.

Stuart Mort, who joined Optus from Oracle in May as the telco’s director of cyber security, called out the now common practice yesterday in Sydney, saying: “Suppliers can tick boxes. It isn’t addressing the risk.”

“I’ve looked through a number of contracts of people going to cloud or buying software licenses or anything in between,” he said at an event staged by the Australian British Chamber of Commerce, BAE Systems and King & Wood Mallesons.

“It’s the same 300 questions. I’m convinced that if the companies buying a potted plant they’ll give the same 300 questions. They’re not tailored to the risk.”

To counteract the now well understood security risk posed by the supply chain, a cyber security assessment of suppliers – often called a SAQ (Security Assessment Questionnaire) – has become a well established element of procurement processes.

Mort said he makes a point of responding to these forms by asking to speak to the buyer’s security team.

“Sometimes they come back and say – ‘we’ll have to find who that person is’,” he said. “There’s a disconnect between the procurement, the legal team and the security team.”

The sheer length and volume of assessments being received was a major drain on resources, said Cheng Lim, who leads King & Wood Mallesons’ cyber security initiative.

“We as a supplier get innumerable questionnaires from our clients about cyber and our security posture and what we do. And we have to deal with multitudes of questions all aimed at the same thing, but with slightly different questions. Answer each one individually,” he said. “The cost to business is actually humongous.”

Lim suggested that a single standardised set of questions, or an accreditation scheme would be beneficial.

“It would save business a huge amount: ‘Yes we are accredited to this standard’,” he said.

Red tape

As part of its national cyber security strategy, the government is developing guidance for agencies to consistently manage supply chain security risks. "In time, this work will be used to help inform the private sector," the strategy says.

The government is already working with telecommunications companies to manage supply chain risks, it said, by providing advice around protecting networks and the information carried across them.

Roger Wilkins AO, secretary of the Attorney-General's Department until his departure in 2014, argued that in the private sector, government should not get too closely involved.

“The last thing you would wish is for government to come and regulate this area. I think that would just create a huge amount of red tape to no end,” he said.

“There’s a whole bunch of people [in government], they’re raring to do this. I’ve had to kill off a few proposals in the past actually. I don’t think that would be useful.”