By Bryan Johnson, IT Director, Alliant National Title Insurance Company
Aristotle supposedly once said, “It is the mark of an educated mind to be able to entertain a thought without accepting it.” Although the ancient philosopher died nearly 2,000 years ago, his statement remains highly relevant to how businesses should approach security issues today, particularly regarding third-party applications. Digital apps are essential to workplace productivity and profitability in 2025, but that doesn’t mean we can take anything an app vendor says at face value. Rather, businesses that wish to maximize the benefits of their applications while minimizing risk need to deploy a strategic, thoughtful process. Here’s how you can do that in three easy steps.
1.) Initial screening process
Properly vetting a third-party application’s security begins with an initial screening of needs and capabilities. Start by asking yourself a simple question: Is there an actual business need here for this application? Once established, you can start figuring out what the application is (cloud service, browser extension, etc.), which data sets it will touch (financial, personal customer information, etc.) and who is going to end up using it (internal-only versus customer-facing). Answering these questions early helps you gauge risk and define the safeguards you’ll need.
2.) Security, privacy and data access review
Following your initial screening, check if the application you’re considering adheres to reputable security and privacy frameworks like SOC 2 Type II and ISO 27001. These certifications show that the app provider follows industry best practices for controls, monitoring and governance. Don’t stop there, though. To cover all your bases, you will also want to review an app’s:
- Penetration test results
- Privacy policy
- Encryption practices
- Data storage and access processes
Finally, round out your investigation by examining whether the app meets any relevant regulatory requirements such as those stipulated in the GDPR, CCPA or HIPAA. For a data heavy industry like title insurance, these expectations should be largely non-negotiable.
3.) Internal governance and continual monitoring
Once you collect and review this information, you can proceed with implementing your app. However, that doesn’t mean you should consider the project complete. Whenever you launch a new IT initiative, there is always the possibility that something may go awry. Continual monitoring can help you quickly remediate any problems that arise with your app down the line. To make this process easier, take the time to determine who owns the relationship with the application vendor ahead of time. Then, establish a process for keeping tabs on updates, misuse, and security vulnerabilities. Performing this due diligence before launching the application can prevent future headaches.
Get the answers you need
To wrap this all up, I want to leave you with another quote from Aristotle, who said, “The roots of education are bitter, but the fruit is sweet.” I think this goes to the heart of what this blog is discussing. Vetting third-party app risk undoubtedly requires effort, but the rewards justify the work involved. And by following the three steps outlined here, I promise you’ll get the answers and results you need.
