THE SECURITY BRUTALIST

The Brutalist Vendor Security and Risk Management: Part 1 - New Vendors

In this two-part series, we explore how Security Brutalism sharpens vendor security and risk management. Part 1 focuses on evaluating new vendors.

Most vendor assessments drown both parties in lengthy questionnaires that produce little useful information. A Brutalist approach does the opposite. Keep the assessment short and focused on the few indicators that reveal whether a vendor introduces unacceptable risk. The objective is not to measure maturity, but to determine, quickly, whether the vendor can be trusted with your data and systems.

The first question is straightforward: "What is your plan for immediately cutting off our data or system access if you are compromised or your service fails?" This assesses incident response and business continuity from your perspective, not theirs. The answer should describe concrete actions that protect your organization. Vague responses or references to internal policies should be treated as warning signs.

The second question asks: "Can you demonstrate that all our data is encrypted in transit and at rest, and that access is protected with strong authentication?" These are fundamental controls. The emphasis is on demonstration, not assertion. Vendors should be able to show how these controls operate in practice. If they cannot, the risk is already too high.

The final question is: "Who is directly accountable for security, and how can we reach them 24/7 during an emergency?" This tests accountability and responsiveness. Security incidents rarely happen during business hours, and organizations need a direct path to someone empowered to act. A clear answer usually reflects a mature and operational security program.

If any answer is vague, delayed, or unsatisfactory, treat it as a "No". Responses such as "we'll get back to you" or "it's covered in our policy" are also "No". The goal is to eliminate vendors that introduce immediate and unmanageable risk.

Vendor security assessments begin before the contract is signed. Security Brutalism favors reducing vendor dependencies wherever possible, but some partnerships are unavoidable. Those relationships should not expand risk unnecessarily.

In Part 2, we will examine how to manage risk from existing vendors and what to do when a vendor is compromised.