Your confidential data should be seen as your baby. It may be (in the case of customer data and data from partner companies) your adopted baby, but you are accountable for the safety of that cherished product of your labors. No matter how well you protect and govern protection of data in-house, it is always a leap of faith handing it over to a third party.
Everyone gets that security due diligence and supplier assessments are vital, most recognise you find out more if you establish trust, but supplier risk is still near the top of the ‘jumpy about this’ list for every CIO in the land.
Why? Because it’s always partly out of your control and the number of suppliers you rely on to generate revenue has never been higher and numbers are still going up.
You can’t micromanage supplier security and keeping on top of the current risk picture is a Herculean cyclical task, but here 10 things you can do to gain more peace of mind:
NOTE: This piece is based on experience managing supplier security for a FTSE 100 company. Sister post “The Game of Clouds – How To Procure & Stay Secure” provides links to generally relevant standards and control frameworks as well as cloud focussed advice.
1. Confirm with ALL stakeholders what supplier security risk means and what constitutes too much risk
It takes significant up-front effort to understand how much supplier risk your business can tolerate, but you can’t talk about investment to mitigate risks, or make a decision to accept risks if you don’t.
Would you send your child to a new nursery or child minder before thinking about and checking;
- Your child’s readiness and suitability for different childcare set ups
- What could go wrong and how incidents are handled and notified
- Their safety and incident history
- Vital protections needed and already in place
- Qualifications, capabilities and risk assessments carers have
Run scenarios. Play things out to look at worst cases (perhaps pick a few of the recent incidents caused by vendor vulnerabilities – Target, AT&T etc etc) and delve into details. Identified vulnerabilities, how they were exploited, what allowed the exploit (e.g. human error, broken controls or controls ignored).
Think about the real financial, reputational, operational, legal and regulatory fallout if it happened to you. How much fallout can you tolerate in a given year? Not all problems are avoidable. Be pragmatic about how many incidents you can reasonably expect and over what period of time.
Avoid too much focus on availability risk. It’s a trap many fall into because it’s easier to quantify, but is only the tip of the security risk iceberg. Factor in accidental or malicious data disclosure, data theft, hacking, website hijacking, site defacement, social engineering leading to fraud etc.
What are your mandatory reporting triggers for your regulators? At what point will they decide to investigate? How newsworthy would it be? Would the noise be loud enough to impact customer confidence and share price?
Everyone will have their own way to assess risk, just make sure everyone is talking the same language and has the same understanding of the risk status quo.
2. Establish REALISTIC security control requirements
Don’t insist that suppliers adhere to your security policies. Policies are about your requirements for internal control and cannot be a one size fits all for your suppliers. Not just that, unless it’s a tiny firm who’d do anything to win your business, no lawyer in their right mind would let this stay in a contract.
Build default control requirements to match the biggest supplier related risks for one or more of your biggest suppliers. Start with must have controls (DPA, SOx, PCI DSS etc) then move on to making key controls in existing policies supplier relevant.
Now you have the default view of controls required. Next, make it clear to ALL stakeholders that the need for each control will vary, depending on the risk profile of other supply arrangements.
Some risk-averse firms have a tendency to act like new parents when bringing suppliers on board. Don’t be tempted to build a wish list of best practice controls, then wonder why your relationship is unprofitable, adversarial and constantly non-compliant. Yes there are those legal, regulatory and partner driven “must haves”, but the aim is good enough not gold plated security.
Avoid listing granular control requirements in contracts. You either miss something, providing “permission by omission” to ignore controls not there, or guarantee requirements will be out of date within a year or two. Instead, refer out to mutually relevant security standards as benchmarks and cement your right to audit and their responsibilities to respond to findings.
3. Pin down a rock solid risk RACI
I can’t stress this enough. Below are some of the tasks that need role holders formally on the hook to make decisions. Without up-front agreement there will be an endless round of “it’s not me” or “JFDI” when exceptions are needed.
Who’s in the frame? Ask yourself who has skin in the game? Who will be first in line after an incident shouting “Who signed this off!?”. Who gets nailed professionally and financially if you get any of this wrong?
- Business risk appetite
- Default control requirements
- The authoritative supplier list
- Basis for triage of suppliers to decide scope
- De-scoping decisions
- Default security requirements in contracts
- Security due diligence approach and benchmarks
- Getting the work done within agreed timescales
- Signing off exceptions to default due diligence, contract contents and control
- Risk acceptance
4. Don’t over or underestimate scope – It’s all about risk
If your child came to serious harm it would be devastating. In corporate terms, a rough equivalent might be public disclosure and extensive media coverage of a breach significant enough to result in legal penalties or regulatory sanctions. However, most suppliers can’t cause that level of impact and those kinds of incidents are thankfully rare.
Many firms just assess security for big IT suppliers, ignoring others who have links into their network, or who handle confidential data. Yet others won’t do much of anything, relying entirely on trust.
If you have a large supplier population use your supplier relationship managers to help you triage on the basis of inherent information security, continuity or physical security risk. It needn’t be onerous. It’s possible with a 15 minute non-technical questionnaire. At this point it’s about;
- Who they are
- Where they are (differing international risks and data protection requirements)
- What they have of yours (data type, data quantity, data sensitivity, hosted kit, hosted people, access to your systems).
- What they do with it (hosting, developing, processing, transferring, storing, transacting, deleting)
What it’s NOT about at this stage is controls or control effectiveness. Most folk, to some extent, combine triage and assessment steps. I found that to be a false economy. Far better to descope low risk suppliers fast, then focus on what matters. The rate of good quality responses is far higher. You also end up with a rich database of high level risk data to inform resourcing, planning and prioritising supplier assessment effort.
When you have your list of riskier suppliers tailor assessments to be as relevant to specifics of the supply arrangement as possible and refresh your data on suppliers regularly, to pick up new deals and changes to risk profiles.
Conduct annual reviews of your benchmarks for the most and least risky suppliers and the controls you assess. Take into account new threats, laws or regulations and if that means a change to supplier assessment scope or controls, get that signed off by stakeholders.
5. Make the value added clear
Work hard to produce sensible and meaningful MI. Show people the risk reduction value they get for their money, but keep your limitations and dependencies front and center from day one.
- No-one can prevent ALL incidents
- Not all suppliers can be assessed
- Identifying risks doesn’t mean you own them – get that risk RACI out there!
- Suppliers can’t live with massive audits from all suppliers every year, it impacts their ability to operate
- It’s not reasonable to ask them to share everything. Ask yourself “What would I do?” when you look at evidence or access you’re requesting
- If problems are found, no-one can magic up an immediate solution – identifying problems is a positive result. Manage expectations about time to fix things
- The first turn of the assessment handle will turn up nasty surprises and it takes time to make wholesale improvements. It will take 3 to 4 cycles to fully understand the supplier population, cement good relationships with stakeholders, make processes repeatable, mitigate biggest identified risks and see a signficant improvement in across the board security
6. Accept nothing is perfect from day one
If necessary, build time into the contract for suppliers to bring their security into line with what’s needed. There’s never an out of the box fit, just like no child-minder knows your child as you need them to on that first day. Punishing suppliers for control weaknesses you should have identified through due diligence, breeds defensiveness.
Accept things take time to begin to work optimally and have a formal mechanism for the right people to accept a bit more risk while things mature. That effort and pragmatism sets the tone for the whole relationship and pays dividends when you have to deal with new risks, control requirements or incidents.
7. Things change
It goes without saying that your child-minder will have to adjust how they deal with your child as they grow up, interact with their environment differently and face new challenges and dangers. The same is true for 3rd party relationships. The nature and standard of security you need from suppliers is a constantly moving picture.
To keep supplier security on track with major suppliers, use the inputs and outputs of regular governance meetings (incident, KRI, KPI, risk assessment, threat intelligence and regulatory change updates) to inform any changes needed.
Set risk related triggers for other suppliers to get in touch e.g. new regulation, a reportable incident, significant changes they make to their control environment (those that can impact your operations, your regulatory/legal compliance or security of your data).
Without this, your initial due diligence will soon be worthless.
8. But what about cloud?
Cloud suppliers are not the dramatically different governance challenge people often make them out to be. Well, not if you focus on the right things.
Front ending your effort in the procurement process becomes vital. You rarely if ever get to poke around under the hood of a cloud offering when the service is up and running. If you start asking them to change controls just for you, you’ll soon bleed those attractive savings out of the deal.
Ask all your questions before you sign on the dotted line. Set in stone that they must contact you in defined sets of circumstances, like the risk related triggers discussed above.
Vitally, get proof they have a handle on any subcontracted connectivity or hosting arrangements. Your main contractor may have everything under control, but do they monitor for and get prompt updates about downstream availability and security issues?
9. Share problems
If you always get good news or don’t get any news from your supplier, it means your relationship is broken. You are not aware of your risks. An inexcusable position if a breach leads to a regulatory or legal investigation.
Correct that by pragmatically and promptly sharing output of your rolling and annual assessments. Work together to agree SMART remedial actions or to get a realistic decision about accepting some risk.
Don’t rely on annual effort to kick the tyres. Look for rolling MI about control operation and adequacy to cut down on the yearly audit pain for both of you. Just like you chat regularly with your child-minder, sharing updates and concerns to nip any issues in the bud.
Almost above all else, have a well-tested incident management process all parties sign up to and when post-incident dust settles always learn lessons.
10. Accentuate the positive
Open regular dialogue should always include talk of opportunities and achievements as well as performance issues, cost and incidents. It fosters a true sense of mutual interest in a good outcome.
And more generally…
Believe that no-one wants to provide an insecure product or service, but things WILL go wrong
There is nothing to be gained by thinking your suppliers are out to get you. Don’t be tempted to operationally hobble them with constant audits or attempts to micro-manage. Would constant interrogation of your child-minder prevent your child having an accident? Would your child be safer if you threaten to end your contract every time there’s a problem?
If something goes wrong, contracts help lawyers to repair your balance sheet, but won’t help you mitigate the impact of bad publicity and the loss of partner or customer confidence. What does make a difference is a supplier who will call you the minute something breaks, while implementing a tactical fix and supporting a joint investigation into root causes. What makes an even bigger difference is a supplier who will do that EVERY time. That happens when suppliers are secure in the knowledge that lessons will have to be learned, but there won’t be blamestorming and escalations that can put their contract renewal at risk.
When all’s said and done
There is no magic bullet to ensure your third parties operate compliantly, securely and productively. Up-front checks avoid nasty early surprises, formally written rules help to set expectations and good governance provides some comfort that things are still on track, but your first and last line of defense will always be the trust and honesty you build into your relationships.