For Thiele, a request to view the enterprise risk register may be a ‘no’ but a request to review pen test results at a high level, the answer is more likely to be a ‘yes’. “We’re happy to give you a summary, but not the detailed findings. It’s not that we’re hiding anything — it’s that the less detail that’s out there, the better,” Thiele tells CSO.
With requests for reports and completing detailed assessments with 200+ questions, the contract needs to warrant the time and effort to fulfil the requirements. “We’ve started to put bounds around it,” he says. “If it’s a multimillion-dollar engagement, sure. But if it’s small, we’ll point them to our online portal instead.”
In Stockdale’s case, after being given assurances and naively accepting them, he now requests solid evidence. In practice, that means as part of due diligence, UQ’s cybersecurity team now prefers standards-based assurance. In the past, they’ve asked for pen test results and sometimes been refused. “So we tend to go for that more standards-based approach — ISO 27001, SOC 2 — as part of our third-party risk assessment.”