Are you seriously going to ask your milkman the same security questions as your network hosting partner?
Of course not. But between those extremes, companies have a world of pain working out how much vendor and change assurance is enough.
- Have you got a robust risk-based way to identify suppliers and projects most able (or most likely) to cause material impact if poor security control leads to a breach?
- Are your security governance and due diligence process mature and proactive? Never driven by last minute demands for ultra-rapid assessment, never-ending audit points, or other constant challenges about budget, effectiveness and value-add?
- Are you comfortable that you know about all the suppliers your business is using and projects that need security engagement?
- Are you sure you are making the right amount of assurance effort to assess the ones you do know about?
- Do you have board support for what you are doing and do board members take a pro-active interest in your reports and the risks raised?
- When a vendor or change security risk is raised, is there a defined risk owner to go to?
- Are risk owners in IT and Security, or in senior management and do they formally accept accountability for decisions to bypass security due diligence or leave identified security risks unmitigated?
Where are you now?
How do you choose which change projects, websites, systems or suppliers to assess? The ones you can catch before the deal is done? The ones you can asses before the change goes live? The ones that ‘feel’ biggest based on politics, spend or complexity? Then, after assessment, does someone always put their hand up to be accountable for fixing identified vulnerabilities, or accepting risks (if a fix is not cost-effective or strategically desirable). Are you confident risks are understood and gaining the necessary visiblity?
No-one disagrees that back-filling security can be orders of magnitude more expensive than building it in, but cost and time pressure frequently trumps consideration of potential future loss. The upshot is business development at the expense of security. After a few years of that you will have layer upon layer of stacked vulnerabilities and broken or immature processes just waiting to enable a breach.
Do these challenges sound familiar? I know these are hard realities for many small, medium and large firms. The remainder of this post focuses mainly on vendor security assurance, but every point can equally be applied to change assurance.
Most security assurance program disasters can be put down to poor scoping choices
Typically one or more of the following will hijack people;
In-scope entity numbers. Frequently starting with a small scope. Assessing too few entities to usefully mitigate the overarching risk, then (often after a nasty audit finding about process adequacy), tipping over towards too big a scope to sustainably assess.
Control numbers. I have have seen due diligence questionnaires with over 1,000 questions going into minute technical detail about control specifics. This may seem robust, but the rate and quality of responses renders this almost useless.
Depth of assessment. If you take responses provided by assessees entirely for granted, you may as well not bother asking the questions. On the other hand, who can afford to do a full design adequacy and over-time operational effectiveness test for each control that applies to each in-scope entity? No-one and the inherent risk most entities can cause doesn’t justify that level of rigor. That cost/benefit balance needs to be carefully struck.
So, how do you answer that “how much is enough” question?
In the beginning…
…there’s risk-based scoping
It is one of those activities that kind of ‘happens’ when planning assurance effort. You say assurance effort will cost THIS much. Your budget holder says they’ll only pay THAT much and suggests you just look at your ‘most critical’ suppliers. But what are your ‘most critical’ suppliers? Come to mention it, what the heck do you mean by ‘Critical’? Off you toddle and get a top (usually spend rather than risk based) suppliers list from Procurement, then draw some kind of line on it to section off the number of suppliers you can afford to assess. Next thing you know, something has gone wrong with one of the suppliers you didn’t assess.
Remind me (says a regulator, auditor, or board member), why didn’t you assess that supplier? Budget you say? That’s no excuse. You should have explained there was a risk justifying more spend. The board can’t be held accountable if you didn’t explain the risks…and who agreed to that definition of ‘Critical’ anyway?
Triaging professionally and triaging early should be a top strategic priority for any GRC programme. If done right, with proper stakeholder consultation, it will quickly and continuously:
- Provide an aggregate view of inherent risks to inform priorities for next steps
- Give a defensible justification for leaving entities out of scope
- Enable effective resource modelling and budget management
- Facilitate security engagement at the earliest stages of change and supplier selection processes
- Foster stakeholder buy-in and robust management of identified risks
More on triage, resource modelling and governance
Other things mature risk and business-centric process do:
- Identify current gaps in security assessment coverage and effectiveness
- Clarify who the right stakeholders are to scope, triage, facilitate and govern proposed work
- Aid creation of a risk RACI to ensure efficient definition, quantification and management of relevant risks
- Point to a rational risk appetite as basis for selecting critical entities
- Quickly and relatively painlessly (if done smartly) triage existing entities based on inherent data security, continuity, recovery, card handling, physical security, or other headline corporate risks.
- Feed into resource modelling to move away from reactive engagement and towards medium term planning for effort and required budget
- Enable engagement at the earliest possible stage of your existing procurement, change management, risk assessment and compliance management.
- Improve focus and speed delivery for strategic security priorities (be that taming ‘Cyber’ risks in general or ensuring compliance with PCI DSS, SOx, ISO27k, Cyber Essentials, Internal Policy, Data Protection etc etc).
- Flag ways to update and streamline security assessment and compliance management activity, or, if you are yet to put something in place, help choose a cost effective solution that works for your specific needs (e.g. how much could you save on risk software licensing if you knew 40% of your entities could be descoped up front?).
- Add enormous value to comms and awareness sessions and helps to maximize buy-in for short, medium and long term security assurance objectives.
One game changing result: You can prove you have managed security risks for your WHOLE supplier population…even your milkman…
- If you asked whether they do anything that can cause the business any risk.
- If someone formally accountable for overseeing catering suppliers answered ‘No’.
- And if you made a note of that activity.
That, for all suppliers, is doable. I’ve seen it work.
This looks like a gold-plated solution to me
This is not gold-plating, it is an utterly vital part of any assurance activity. Something every firm should have in place in order to grow securely. A sensible approach can scale to cater for any size organisation. In fact, if you start off on the right foot, you won’t face many of the challenges FTSE100 firms are grappling with right now.
They have accumulated legacy infrastructure and lost track of risks accepted to expedite growth. This methodology can re-inject sound risk management, but (depending on quality and coverage of historical assessments), things discovered can paint a disturbing picture after the first turn of the handle. Problems cannot be solved until you know they exist and each future cycle will see an improvement in baseline security, but managing expectations is critical to ensure on-going support to allow processes to mature. That’s why your approach must divide effort equally between stakeholder management, strategy and process.
So that was a pretty long winded way of saying: You can’t plan supplier or other security governance work without understanding your risks. What qualifies me to go on about this? About 8 years with supplier and change security as a part of my day job and 3 with supplier security it as my sole focus.
If you would like help to plan a similar approach, or want an independent perspective on your security assurance processes, do get in touch.
And it’s not just triage I say can’t be done without good risk insight. It’s also impossible to provide your board with any useful reports on supplier or change security failings without using risk (they’re non-compliant, but so what? Is it a deal breaker or of no real concern?)…but that is a subject for a whole other post (or four).
- Mismanaged Risk – Why urgency and budget beats security
- A Proportionate Approach To Vendor Security Governance
- The Game of Clouds – How to procure and stay secure
- Target, AT&T and Tears – Ways to get a grip on supplier risk
- Security: One character can make all the difference
- Perspective on 512k Day, Internet Capacity & Your Cloud