Your organization operates in a world where threats come from multiple angles and the damage from any kind of physical or cyber breach can be significant and long-lasting. Every facility visit, every meeting, and every interaction, physical or virtual, carries its own unique security and compliance implications and risk.
Because of that, your organization cannot afford to let its guard down—with its own practices and processes, and with the vendors and systems it invites into its security and compliance ecosystem. It’s imperative that the vendors on which your organization relies for visitor management and security recognize and take seriously the responsibilities that come with supporting customers. If they’re anything less than laser-focused on supporting your organization’s risk-management and compliance efforts, that could unnecessarily expose your organization to additional risk.
At minimum, the vendors that supply your visitor management, security, and compliance systems should meet all your organization’s expectations and requirements for compliance and privacy, even as those requirements shift in certain countries and jurisdictions as laws become more stringent. However, your organization should demand more than the bare minimum. These vendors should be a true asset and partner to your organization when it comes to security and compliance.
But what does that mean, exactly? How do you determine if a vendor is the right partner for your organization? Start by getting answers to the following five questions:
1. Do they offer their entire compliance and security program as a living set of contractual requirements?
A vendor should offer their entire compliance program contractually. Static contracts and good-faith measures can’t adequately account for the rapidly changing risk and threat landscape.
2. Are they transparent about their overall security and compliance posture?
Whether you’re a current or prospective client, you should have ready access to up-to-date information about a vendor’s certifications, qualifications, and compliance with applicable standards for data security, privacy, and the like. Look for vendors that have a centralized, public-facing library for this kind of information.
This compliance information hub should provide documentation (such as audits from reputable third parties) proving their compliance or alignment with, or certification to, best practices and standards such as STAR Level 1 from the Cloud Security Alliance (CSA), along with SOC 2 Type II, European Union GDPR, CCPA in the United States, the NIST AI Risk Management Framework, Canada’s PIPEDA, and more.
CSA STAR Registry Level 1 status, for example, means a vendor is part of an elite group of global cloud service providers (including IBM, Microsoft, and Google) that have documented and validated their security and privacy controls across 450+ control types and aligned their practices with international standards. All documentation related to a vendor’s STAR Level 1 status is publicly available on the CSA registry, making due diligence faster and easier.
Not only does having this information readily available enable an organization to verify that its vendors are keeping pace with the fast-changing threat and compliance landscape, it also simplifies the due diligence and procurement process for organizations that are evaluating vendors and their visitor management/security systems.
Bottom line: If you can’t access this type of information yourself, a vendor should be willing and able to provide it.
3. Are they actively engaged members of the security, compliance, and risk-management communities?
A vendor should be actively gathering information, learning, and building their subject-matter expertise. Do their execs participate in organizations like CSA, engaging in the process and dialogue around best practices, standards, policies, etc.? Those that do are more likely to speak your security and compliance language, and to understand your specific needs and priorities in these areas. There’s a good chance they’ll also be better equipped to understand the latest threats and ever-shifting risks organizations must manage, and the role they can play in helping you manage those risks.
4. Do they continually invest in system improvements?
As a customer, you should expect consistent improvement and evolution in the security, visitor management, and compliance systems your vendors provide—a steady stream of new capabilities that reflect the changing threat and compliance landscape. These systems should enable you, the customer, to stay a step ahead in managing physical and cyber risks as well as hybrid threats that can move from the physical domain to the cyber domain and vice versa.
The visitor management and security systems your vendors provide should also leverage trusted and validated threat intelligence databases to support visitor prescreening. This prescreening can be automated, speeding the process and making it less of a burden on staff.
Any enhancements a vendor makes to their systems should carefully balance security and compliance with the overall visitor experience. The goal: strong security and policy enforcement, delivered via a curated, personalized, and friction-free visitor experience. You should expect your vendor’s system to provide the best of both worlds, with elevated security and compliance for your organization and a streamlined, personalized experience for your visitors. The two aren’t mutually exclusive.
5. Do they treat you as a partner?
Because security, visitor management, compliance, and risk management are high-stakes, ongoing endeavors, the vendors that provide systems for these areas of your business should treat you as a partner, not just another revenue source. They should have on-staff expertise that they generously share with your teams. Their sales, implementation, and support teams should be readily accessible to answer questions and listen to concerns. They should understand the nuances of your business and your industry, and act as partners in the compliance effort. When they do, they become important assets and allies.
When it comes to protecting your business from physical and cyber breaches, there’s too much at stake to settle for the bare minimum, a static approach to compliance. Not only should your vendors’ commitment to security and compliance match or exceed your own, that commitment should be codified as a living set of contractual requirements. Because ultimately, your organization’s security, compliance, and risk-management programs are only as strong as the weakest link in your vendor ecosystem.
Jason Mordeno is the director of compliance and security at visitor management platform provider Sign In Solutions. In his role, Mordeno also serves as global privacy and data protection officer and head of U.S. federal for FedRAMP. He brings a deep background in regulatory compliance, cloud security, and federal frameworks.
ALSO READ: Resolving Vendor Disputes in Facilities Management