How Vendor (3rd Party) Security Assessments can help you build a better security program
By: Justin Fimlaid
Are you thinking about Vendor (3rd Party) Security Assessments? Aspirations to build onto your Vendor Security Assessment program? Why wouldn’t you — you go through all the effort to secure your own business or corporation only to send you data to a trusted third party to have them lose your data for you. Or better yet, your Vendor gets breached and they become a pivot point which bad-guys can hop onto your network — case in point, the famous Target breach.
Vendor Security Assessments are usually an area for improvement for most security shops. However those same security shops barely have enough security bodies to put out internal fires never mind assessing the security posture of Vendors. Because of this I often see Vendor Security Assessments passed over by Security teams or they only conduct a “kick the tires” type of assessment.
Vendor (3rd Party) Security Assessments are very important and more importantly they help you build a better enterprise security program. Here’s how they help you build a better Security Program:
- Vendor Security Assessments are best done BEFORE you establish a vendor relationship. Once your vendor has a signed contract and they are connected to your network or sharing data it’s going to be very hard to get them to self-select the correct security behaviors especially if security investment is involved. In order to do a Vendor Security Assessment before a vendor relationship is established, a Security team should be establishing relationships with their business peers so that their business peers will include Security during business and contract negotiations. Often this an opportunity to ensure your vendors make the proper security investments and are good custodians of your data BEFORE a contract is signed. This is a fantastic way to drive awareness of security throughout the company and help to establish relationships to push the security agenda forward.
- Vendor Security Assessments get people talking about risk management. If you’ve done a security assessment before you know there are always findings, sometimes those findings are cost prohibitive for your vendor to fix but you still need them to do business. This gets people talking about risk, finding a common definition of risk, and discussing how much risk they’d accept in order to do business. If the Security is tied into your Enterprise Risk Management Program (and it should be), the practice of talking about risk will absolutely up-level the quality of Enterprise Risks once you give everything time to soak in.
- Security Assessments always have findings. If you are doing Vendor Security Assessments you should be conducting some remediation activities and following up to make sure your vendors remediate security deficiencies. This is good for a couple reasons – namely it lets your vendors know your company takes security seriously, it’s also a good practice for Security staff to work on various soft-skills that make them great Security Operators.
- Vendor Security Assessments can be complex. Conducting security assessments of vendors and partners can be very involved, and no matter how mature of checklist you have there’s always a twist or interpretation required for a security control. This makes for stronger in-house Security Analysts or Security Engineers, and when the time comes for them to assess internal designs, or submit security requirements they will be more proficient at the task from having extensive Vendor Security Assessment experience.
Vendor Security Assessments are hard to do well. Let’s face it — in most cases your Security needs to get out in front of fast moving business peers who have their own business goals and don’t want to slow down or wait for a Security Assessment of the Vendor and any remediation time. For small Security teams in large organizations, this is a kin to chasing a bear with a bb gun. At the end of the day, the most important thing is that you look at the Security of your vendors and partners–they can lose your data, violate your privacy policy, and violate your compliance standing. To do this right means you’re driving awareness within your organization to self-select the correct security behaviors and developing your internal staff so they can do the other parts of their job better.
If you need help with Vendor Assessments NuHarbor Security has solutions to help! https://nuharborsecurity.com/vendor-assessments