Why Your Vendors Are Partners In Better Cloud Security
By Stephen Chen
In our new work from home reality, it seems that hardly a day goes by without news of a new cybersecurity incident at a major organization. Even though cybersecurity was top of mind with CTOs, CIOs and CISOs before the pandemic, the rapid shift to working from home accelerated risks in many organizations. In a recent report (download required) 60% of the more than 900 IT professionals surveyed found new security gaps in their defenses — due to the shift in remote working. Almost a quarter believe their organization is at greater risk of cybersecurity threats than before.
Although IT professionals today are focusing much of their attention on mitigating the risks coming from the newly remote workforce, there is another area of risk that is potentially as great but easily overlooked. That area is your extended network of suppliers and, by extension, their suppliers. Your cloud security chain is only as strong as the weakest link. When you look at it from a cybersecurity perspective, you can see that your cloud security posture relies on your entire supply chain.
How Should You Focus On Third-Party Risk Management?
As an IT professional, you are often managing lots of different security activities on your own and relying on your supplier networks to do their jobs.
nagement program, you will most likely find that many suppliers are out of compliance. What then?
Risk Mitigation: Carrot Or Stick?
When bringing suppliers into compliance, there are two ways to approach it:
1. The Stick Approach. This is very black and white. If a supplier doesn’t meet a security standard, they are out of luck. They can come back when they are up to standards. In some industries, such as defense or high-consequence industries, this may be the correct approach. However, for most businesses, this approach may be too draconian.
2. The Carrot Approach. This is a more realistic approach for most industries. Building reliable, trusting relationships with your vendors isn’t just good business, it’s good security. This is the approach that I typically recommend.
Here’s an example of how we’ve seen this play out in my current role. We have more than 150 suppliers and started our program with a median score of 700. Within a year after implementing a scorecard and a partner engagement strategy, our suppliers have been at a median score of 740 for the past three months, with only three suppliers that are outside our requirements. This 40-point jump across our collective supplier base is significant. This not only benefits us, but also our clients.
One thing to remember: Just as with your credit score, the higher the score gets, the harder it is to move the score up. Our required rating of 740 is an attainable stretch goal that did require work on the part of our suppliers, resulting in a more secure framework. However, it’s not really about the score, it’s about the secure practices and partnership that gets you to an advanced category.
Cybersecurity Is A Team Sport
In partnering with our clients, some have higher security standards. They push us. We work to meet and ultimately exceed those expectations. We want to do the same with our supplier network. Cybersecurity is a team sport. When you work together, everybody wins.
Just as clients may push you on your knowledge, you can bring your security learning and standards to your suppliers. You shouldn’t just look at it from what your clients need and what you need. You should also look at it from the suppliers’ point of view. How much work is it for your supplier to remediate an issue? How can you educate them? What’s the investment requirement so everyone can benefit? When you get the right balance, your suppliers will see it as a positive.
We are hearing positive feedback from our clients and suppliers. Suppliers appreciate the value of being able to tell other clients that they meet stringent requirements for cybersecurity. They also appreciate the collaborative process to help them understand the issues and remediate any gaps. For clients, the secure foundation makes it easier to streamline integrations, which leads to better analytics that improve insights into what’s going on in your company.
However you choose to approach developing trust between your organization and third parties, think of an old saying in the tech world: Look for partners, not vendors. It really is true. Developing partnerships to fix the weak links in your cloud supply chain offers far greater benefits than just security.