No one could ever imagine that vendor connectivity would be exploited and go unnoticed for several months causing numerous attacks on enterprises that have state-of-the-art security. Very few risk management programs would have taken account of such a risk, which is not only large-impact but also hard to predict—what philosopher-epistemologist Nassim Nicholas Taleb calls “black swans,” in reference to the fact that Europeans once knew that all swans were white—until explorers in Australia discovered black swans.
The question then arises: What should have been done to prevent, or at least detect, such an attack? The buck typically passes on to risk management teams who ideally should have projected such risk factors for treatment. Conventionally, enterprises have introduced their IT vendors after the security due diligence process. It is vital that the same processes are exercised for all vendors, regardless of the services they provide. The most desirable outcome of such an exercise will be an understanding of the security risk that an enterprise would face in day-to-day business.
This process may face challenges, including:
- Lack of a clearly defined vendor management policy that establishes security in outsourced services;
- Unavailability of vendors and vendor information at a central location;
- Unclear/undefined responsibilities in vendor contracts for security processes and audits;
- Absence of a periodic review mechanism.
A well-defined vendor security policy that provides executive oversight, a vendor stratification strategy, assessment types, a reporting mechanism and the required resources will pave the way for effective vendor governance from a security standpoint.
In the world of cybersecurity, professionals often say “100% security is a myth.” This may be true, but a certain degree of governance, monitoring and management can surely help in analyzing and addressing security risk factors that arise as a result of outsourcing.
Read Dipti Patel’s recent Journal article:
“Vendor Risk Management Demystified,” ISACA Journal, volume 4, 2015.