Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Do third-party vendors have a bullseye on their backs?

Kacy Zurkus | June 21, 2016
Third parties can be a security team’s best friend or worst enemy

Vendors, then, want to be able to highlight their position as trusted industry leaders. If security isn't embedded at the outset, are vendors really focused on designing trustworthy systems?

Edna Conway, chief security officer for Cisco’s Global Chain Value, said there are a number of things to think about in designing architecture from an end-to-end perspective. "What is in my value chain? is a question that will drive design and development, planning, sourcing mode, quality, delivery, sustainability, and end of life," Conway said.

Before you hire a vendor

David Kennedy, CEO of TrustedSec, recommends you get answers to these five questions before you hire a third-party vendor.

  1. What is the overall security program?
  2. What are they doing from an information security perspective?
  3. What specific standards or frameworks do they adhere to?
  4. What in the SLA states what their security needs to have in regard to protections, breach response, and communication?
  5. What is their source code review process?

Service providers need to think in a layered approach because security is a journey and a commitment because, Conway said, "Most offerings are an ecosystem of cloud providers likely using two, three, five, or 12 other companies to bring these capabilities into being."

The shift to third-party vendors doesn't change the threat landscapes that make all enterprises vulnerable to being manipulated by an outsider who gains unauthorized control over their network. Understanding the risks posed by malicious actors from industrial and nation states that can cause physical or digital disruption and far greater damage, it is incumbent upon the service providers to optimize and deploy a sufficient business model, said Conway.

"A clear architecture converges all on the same domain areas which include security domains, governance security, security in operations and asset management, security in incident management, security in service management, security in logistics and storage, security in the physical environment, and personnel security," Conway said.

Even for those providers that are thinking in this layered and values-based approach, the personnel security will continue to be a weak link to security. For many employees, the road to breached hell is paved with good intentions. Alastair Paterson, CEO and co-founder at Digital Shadows, pointed out that many breaches are the result of human error.

When it comes to some services, there are so many different aspects of corporate data that are not tracked by the corporation that they don’t even know what is out there. "You can have contractors in working on any service you are contracting out for, and that causes a bit of a risk," said Paterson.

"A lot of what we see is inadvertent and accidental," Paterson said. He recounted an incident involving a big label bank, which many assume would have good security, that was using a third party to install a new ATM network. "It turned out that a contractor working at the supplier with the winning bid had backed up his whole laptop without realizing it, which made public all of the private information he had about the bank," Paterson said.

 

Previous Page  1  2  3  Next Page 

Sign up for MIS Asia eNewsletters.