Commentary: The avoidable risk CIOs are unknowingly introducing into their organizations

First, the good news. Many institutional investors are taking security more seriously and dedicating a portion of their requests for information or requests for pricing to questions about a potential vendor's security.

As part of the institutional investment community and in dealing with large amounts of money, you're likely investing in security as a priority. You've set up due diligence requirements for your managers and are asking potential partners and vendors an exhaustive list of questions related to their security measures and protocols.

Now, the bad news. Many of the most commonly asked security questions in RFIs actually undercut due diligence processes by eliciting misleading, ambiguous or irrelevant information.

You're asking the wrong questions and therefore unable to accurately assess and evaluate the security profile of a potential partner or vendor, and the consequences can be serious: You could be opening the door to a host of damaging security risks.

Here is what you should be doing instead:

Binary questions are a staple of many security questionnaires but do little to elicit useful information. They provide no depth of information on the sophistication or maturity of a potential partner or vendor's security processes. Instead of asking, "Does your firm have an information security policy?" ask, "Explain how your firm addresses information security." This phrasing gets to the root of access control, data classification, cyberthreats, remote access, availability, password management and physical security. Asking questions that require long-form answers will tell you if a vendor truly has the security in place that your firm requires.

Multipart questions introduce a most unwelcome factor into the vetting process: ambiguity. For example, "Does your solution provide administrative controls and the capability to provide user permissions based upon group or role, as well as limit the data that can be modified?" This question references three things: administrative controls, access controls and data controls. These items are certainly related, but they are not the same. Adding to the confusion, vendors/partners can answer any part of these questions in any way they want. This inconsistency means you are not comparing apples to apples when deciding between potential partners.

Asking questions that zero in on specific security technologies and tools are a common mistake. Take for example data loss prevention, or DLP, a popular security technology. Including a question that asks potential vendors or partners, "Do you have a DLP system implemented?" is not helpful. We already know that binary questions don't provide a comprehensive answer. Furthermore, Target Corp. had a DLP system in place when the company was breached in 2013, but even so, hackers got in because no one was paying attention to what the system was saying.

Technology for technology's sake is rarely the answer. In fact, judging a vendor solely based on tech capabilities may disqualify candidates that can actually deliver what your investment firm needs. To return to the above example, DLP systems are not the only way to secure data. Different technologies and tools can be used to deliver an equivalent security profile. Questions like, "How do you provide 24/7/365 data monitoring?" focus on the desired capability and end result as opposed to a specific technology or tool.

If you don't have security personnel on staff, it's common to rely on templates or consultants to provide RFI security questions. This can be helpful, but only if you keep the following in mind: some recommended questions may not apply to your institution and some critical questions for your organization may be left out of a given template. Similarly, some may use verbiage you don't understand. Don't get bogged down in a template. Rather, ask about what is important to your firm; no more, no less.

As a chief investment officer, you can strengthen your institution's due diligence activities by simply asking better questions. There's no need for an exhaustive questionnaire that grills vendors about every last detail of their security profile. Rather, you want to zero in on what is important to your organization and phrase questions in such a way that vendors provide relevant information that you can use in making a wise decision. With proper execution, it's a small change that can yield big results.

Michael Neuman, vice president of information security at Backstop Solutions Group, Chicago. This content represents the views of the author. It was submitted and edited under Pensions & Investments guidelines, but is not a product of P&I's editorial team.