Enterprises are learning a hard lesson – one that’s not formally taught and one that many IT and Security managers are often not even aware of. It’s the reality of being responsible for information systems that, behind the scenes, are managed or overseen by someone else. From applications in the cloud to firewalls on your internal network, odds are that a third-party vendor has a hand in administering certain systems or aspects of those systems. They may only be monitoring uptime. They could be looking for and analyzing security alerts. Or, their oversight could go as deep as managing security for the entire system. This is fine and good until you realize that they may not be providing the level of due care and diligence that you would if it were your own system.
As a security consultant, I’m hearing about and seeing this situation more and more with my clients. In many cases, the businesses impacted were under the assumption that everything security-related was being taken care of and that all is well with the system. However, some have observed casually and others have found out the hard way through security incidents, that although proper care and oversight were presumed, they were largely absent. And, most likely there’s no SOC 2 audit report or security questionnaire clean enough or credible enough to keep bad things from happening to your systems when they’re managed by someone else.
I don’t think you can ever fully eliminate this security risk but there are steps that you can take to gather (eliminate) the low-hanging fruit and ensure that your business is not impacted in a negative way. First, you need to take an inventory of outsourced systems. Second, you need to understand exactly what these third parties committing to? Are they truly hitting the mark or are they leaving risk on the table? Third, how are they being monitored or audited? Will you know when they are falling behind and creating unnecessary risks for your business? Or are non-IT/security executives, administrators, or even your legal team in charge of that side of the house?
These questions must be answered honestly and promptly. Do it now. Make this type of review part of your overall vendor security management program. Perform it on an ongoing basis, at least annually. Get others involved. This is an IT-centric challenge but, given what’s at stake for the business, its a perfect opportunity to get your security committee involved. If you don’t have a committee, establish one and take this on as your first project.
It’s important to remember that no one is ever going to care for the security of your environment as much as you will. Sure, you may have policies, contracts, and SLAs in place but, at the end of the day, no documentation is going to make you secure. Nor will it be your vendors on trial if things go wrong. Instead it will be your business and its reputation. As much as anything else in IT and security, it’s your job to protect this reputation as much as you reasonably can – well in advance.
Receive notifications of new posts by email.