Home  |  Sarah  |  Services  |  Blog  Contact

Tuesday, 03 Mar , 2015

A Proportionate Approach To Vendor Security Governance

Share this article

...a potential provider that brags about how comprehensive their due diligence is doesn’t “get it”— it’s about ranking risks and targeting resources where they are needed.

Megan--Cycle Canada Trip 721Traditionally, performing third party due diligence has been primarily a data gathering activity.
Now, with access to abundant information sources, the activity—and the challenges—have evolved. …a potential provider that brags about how comprehensive their due diligence is doesn’t “get it”— it’s also about ranking risks and targeting resources where they are needed.
In addition, not all “red flags” are created equal. Only a few kinds of red flags indicate the need for expensive analyst-led due diligence.
An integrated due diligence system must be able to distinguish between red flags and the level of risk each presents. Many can be analyzed and resolved without expensive and time consuming analyst-led due diligence reports.

Source: blog.volkovlaw.com
The quoted article is centered around a software solution, which I am neither condemning nor recommending. The link is here because the outlined risk based approach to scoping effort is absolutely in line with my thinking. It wasn’t an InfoSec focused article. InfoSec due diligence is it’s own ballgame…my ballgame.images (27)
Despite some huge challenges around choosing and ensuring an acceptable level of security protection when dealing with third parties, the cross over with more general vendor governance is obvious. Logistics and other supply chain approaches have been evolving over many many years (from the first moment a boss decided to get some other bloke to do something he couldn’t do for himself). This is therefore informed by much deeper experience than the supplier security governance knowledge pool.
It is hard to navigate the choppy waters of an as yet poorly defined discipline to find risk, business and cost focused solutions. A way to target scarce resources and build that secure co-operative relationship you need. It takes trial, error and stakeholder and risk management skills equal to (if not exceeding) your security knowledge. I’ve posted in detail about one perspective on finding a path through this mire here.
Your internal team will only get so many chances to get this right. Bringing the full range of operational, procurement, legal, risk, audit, C-suite and supplier stakeholders on-board is tough the first time, but virtually impossible the second or third.
It bears a significant amount of thought, as the risk posed to well secured businesses by their potentially less secure contracted third parties, isn’t going away.  And, let’s face it, everyone’s supply chain is getting longer and more complex the further we venture into the cloud.

Opinion: Paying to play with our personal data – is it ok?

We’ve migrated from ‘Hot or Not?’ to being held virtually hostage by many of the digital platforms we rely on today. In the midst of that a new processing paradigm has emerged. Myriad startups want to pay to play with your personal data. Can this tackle on-going...

In AI we will blindly trust…

...and the architects, designers, data scientists, and developers will think we are nuts I've been driven back to the blog to talk about one very specific aspect of privacy, data protection and Artificial Intelligence (exchange for Machine Learning or Algorithms as...

Data Protection, Security, and the GDPR: Myths and misconceptions #2

Welcome back! This is a shamefully delayed sequel to my first instalment of security themed GDPR thoughts: Data Protection, Security, and the GDPR: A fraught and fuzzy relationship. Here I look back again over my pre-privacy IT and InfoSec career to spot things likely...

Where and to whom does the GDPR apply?

Yeah, I doubted my sanity going at this one too, but here I am, because working out whether or not the GDPR would apply in different practical and geographical circumstances is proving harder than it really should...for everyone. This regulation has been my almost...

GDPR – You’ve analysed the gaps, but can you close them?

  There is a critical gap for most firms: An inability to interpret and leverage gap analysis, data discovery, and mapping output to actually implement technical data processing change. This article is about the challenges most large firms are facing when trying...

GDPR – The Compliance Conundrum

There is one question related to the General Data Protection Regulation that will arguably cause more ulcers than any other: How much is enough? In some portions of the GDPR 'good' is straightforward. In many others we are asked to respect principles of fairness and...

Opinion: The role of automated data discovery in a GDPR programme

Do you have any online profiles or posts featuring those 4 magic characters: G D P R? If so, whether you are a business decision maker, IT body, security body, charity boss, employed data protection pro, or job seeking data protection pro (less and less likely), you...

When Business Culture Eats Cybersecurity For Breakfast – Part One

A four-part story of budget cuts, blamestorming, breaches and massive bumps in the road to mature security. Wild Speculation & IT Transformation Do you remember Nick Leeson? On February 23rd 1995 he sent a fax telling bosses at Barings Bank he was ill and wanted...

Cyber Insurers Dictating Cybersecurity Standards?

A run down of the key challenges with choosing and using cyber insurance called out in the last few months. It looks entirely possible you will have 'adequate' security dictated by your insurers, so it is your job to understand the risk based yardstick they're using...

There Is No Such Thing As Information Security Risk

Having worked in IT and Information Security for 13 years, I've come to the conclusion that there is no such thing as information security risk. There are just business risks that have one or more security or IT related causes. There is a fundamental and persistent...