In the course of my business, I frequently ask IT service providers questions about their information security practices. I frequently find that these answers gloss over significant security exposures, some of which can have a material impact on the customer. Good security requires at least one individual in a company focusing on it focusing on one individual. If the vendor doesn’t have a dedicated security officer, be suspicious about the true commitment to the security of your vendors. Your customers expect it, and they will blame you — not an upstream provider — for any failures.”]