Google expands minimum security guidelines for third-party vendors

Caution against charging for basic security features

The latest version of the MVSP controls also discourages vendors from adding costs to access basic security features in their products and encourages them to bake those basic features into their products by following the security-by-design principles advocated by the US Cybersecurity and Infrastructure Security Agency (CISA).

“Charging for basic security features will discourage some individuals or organizations from adopting those features,” Carielli says. “If we want to make products more secure, access to security features cannot be reserved for the wealthiest customers.”

Discouraging additional costs for security features is a growing trend among software buyers, adds Nick Sorensen, CEO of Whistic, a third-party risk management company. “Security functionality and capability is becoming table stakes for software vendors,” he says. “We’re seeing a lot more buyers asking questions about those capabilities.”

Procurement needs to enforce compliance, as do cyber insurers

Although Google’s MVSP controls have been around for two years, the company noted that 48% of third-party vendors fail to meet two or more of the controls. “The reason nearly half of companies fail to meet these controls is due to awareness,” Hansen says. “Our hope with the MSVP system is to improve awareness and help companies prioritize their resources.”

Sorensen agrees that awareness was “job number one” in getting wider adoption of MVSP controls. “The more companies that require their vendors to meet MVSP controls, the more vendors that are going to meet those controls,” he says.

John Gallagher, vice president of Viakoo Labs, an automated IoT cyber hygiene provider, added that stakeholders have to get tougher with vendors that are soft on security. “Procurement needs to enforce compliance, as do cyber insurers,” he said. “Both provide a ‘stick’ to the ‘carrot’ of MVSP.”