The Brutalist Vendor Security and Risk Management: Part 1 - New Vendors

In this two part series, we will explore how Security Brutalism can sharpen the approach to vendor security and risk management. Part 1 tackles the often-dreaded security questions for vendors.

To apply the Brutalist Security approach, keep the number of questions hyper short (three questions) and useful, the focus must be on immediate, high-impact risk indicators. The goal is to quickly determine if the vendor poses an unacceptable security risk, either in their current state or upon onboarding.

Here are the questions, prioritizing the most critical aspects.

The Brutalist Vendor Security Questions

1. "What is your plan for immediately cutting off our data/system access if you are compromised or your service fails?"

This directly assesses their incident response and business continuity preparedness from our perspective. It demands a concrete, actionable plan for our protection, not just their internal processes. A lack of a clear, rapid answer is a massive red flag.

2. "Can you demonstrate your ability to encrypt all our data, both in transit and at rest, and manage access to it using strong authentication (including MFA where applicable)?"

This hits the core of data protection. It's binary: either they can demonstrate it (not just claim it), or they can't. These are fundamental controls. If they struggle here, the risk is immediately too high.

3. "Who is directly accountable for security within your organization, and how quickly can we reach them 24/7 in an emergency?"

This probes accountability and responsiveness. It avoids vague "security teams" and demands a direct point of contact for critical incidents. A clear, immediate answer indicates a mature security posture and willingness to engage when it matters most.

Brutalist Security Analysis

The goal is to weed out vendors that introduce immediate, unmanageable risk. So:

• If any of these questions receive a vague, delayed, or unsatisfactory answer, consider it a "No."
• "We'll get back to you" or "It's in our policy" is a "No."

To Close

Vendor security assessments are non-negotiable from day one. While Security Brutalism advocates minimizing vendors and complex "magic solutions," some partnerships are essential. So, let's ensure any vendor we bring on board doesn't introduce unnecessary risk.

In Part 2, we'll cover managing existing vendor risks and what to do if a compromise occurs.