CISO Spotlight: Context in Your Third-Party Security Process
When it comes to third-party vendor security assessments, one size does not fit all.
Not every vendor should necessarily receive the same questionnaire or be given the same weight as other vendors. A vendor that brings paper to the office should not be assessed the same way as one that integrates with your IT systems. The business and technology relationship sets the context, and the context defines the level of security.
To better understand the context of the business and technology relationship, organizations should be sure to consider the following:
Champions before vendors.
Many vendor security questionnaires naturally address the vendor; however, they overlook a very important stakeholder: the internal business owner, or champion. The person responsible for hiring or introducing the vendor to the organization should be the first to provide context and background information on any vendor security questionnaire. Which tasks will the vendor be performing? How are these tasks done today? How many users and business units are involved? The answers to these questions should be discussed before moving forward with procurement.
Which data is involved.
This is one of the most obvious and important considerations: For a vendor to perform a task for your organization, it’s important to establish what type of data will be shared and why. Will the vendor have access to your customer information and/or IT systems? How about regulated data such as PII, PHI or CHD? The type of data that is shared will help determine the context, the risk and the required level of controls of the business and technology relationship.
How the data flows.
This is another consideration that is sometimes overlooked, despite its absolute significance and importance: How data will travel between your organization and the vendor. Will the vendor access your organization’s data once, or will it be a constant sharing of data? Which protocols are involved? What does that mean for users and for the IT team? The level of third-party risk is directly affected by the way data flows.
What you’re using the data for.
It’s a mistake to assume that your organization’s data will never be used for purposes or objectives that were not agreed upon in the services agreement. You should clearly stipulate how the data will be used and is going to be shared beyond the scope of agreed services.
Who will have access.
While many vendors make use of cutting edge computing technologies such as AI, machine and deep learning, humans are still part of the process for any third-party vendor. The more humans are involved, the more the risk increases. The human factor must always be considered when assessing the cyber posture of an organization. Make sure to ask how many people are going to be able to access your data and which controls are in place to reduce the risk of leakage or misuse.
Vendors work with other vendors, better known as fourth-party vendors. The more vendors your vendors are connected to, the greater the risk. That’s why it’s important to be able to discover these supply chain relationships and understand the risks they may entail, including security, business continuity and regulatory risks.
By considering these key points, organizations can better determine the business and technology relationship they have with the third-party vendor. Understanding this context will affect how the vendor’s cyber posture should be assessed.
Want to learn more about third-party security and context-based cybersecurity ratings? Contact Panorays today.
Ron Peled is founder of ProtectOps Security Business Enablement and former CISO of LivePerson, Inc.