Every IT manager knows that cybersecurity is a community effort. If a vendor's product develops a vulnerability, your company cannot prevent an attack if you're are unaware and unequipped. The risk of third party security and data protection breaches grows exponentially as companies add vendors and business partners. Vendor security is becoming so important that almost 50% of respondents to a 2017 451 Research poll said their company would be willing to pay extra for a guarantee of better security from a vendor.
"Sixteen months ago, I was head of Uber Global's compliance, and I was talking about this third party security and data protection risk with other company compliance heads of companies like Twitter and Dropbox in a roundtable discussion," said Ken Baylor, president of the Vendor Security Alliance. "We concluded that none of us had a good way of measuring or containing the risk, and so the question was how could we fix this?"
Baylor said that this initial roundtable meeting was instrumental to the birth of the VSA, a non-profit alliance of leading tech companies with the goal of making the internet safer for everyone
"The group benchmarks the cybersecurity practices of vendors to ensure that they have adequately protected data," said Baylor. "It is comprised of companies committed to improving internet security, including Airbnb, Dropbox, Atlassian, Docker, GoDaddy, Palantir and Square."
SEE: IT leader's guide to optimizing vendor relationships (Tech Pro Research)
VSA assists these and other joining companies with auditing the security and data protection practices of their vendors. As vendor audits are completed, the VSA maintains them in a central library. This enables participating members to access these vendor audits—and it eliminates the need for these companies to separately (and very expensively) have to audit these vendors on their own.
In November, TechRepublic's sister site, ZDNet, reported that the VSA updated their auditing system to be GDPR-compliant, as well.
"The main focus of the questionnaire is to protect data no matter where it is," said Baylor. "The questionnaire asks the vendor very simply what type of data they handle, and makes sure they have appropriate controls for that type of data. For example, an email newsletter service that collects email addresses would have a lower bar than a service doing financial transactions that collect credit card numbers. Companies can leverage this questionnaire to measure and mitigate vendor risk, ensuring the appropriate controls and sound practices are in place at the businesses with whom they partner."
Developments like this are important for any IT managers who are tasked with policing not only their own companies' security and data protection practices, but those of their vendors and their business partners.
What steps should managers take now?
If you're auditing your vendors, continue what you're doing
The angst and the publicity surrounding events like the WannaCry attacks and Equifax security breach have inspired many companies out of fear to tighten up their security and data protection practices—and to start investing time and money into more closely auditing their vendors' practices in these areas. These efforts should continue.
SEE: Ethics policy: Vendor relationships (Tech Pro Research)
Start auditing vendors and business partners
The process begins with listing all of the vendors and business partners that you use, and then reviewing files to see which have provided you with audits of their security and data protection practices, along with indemnification clauses in contracts in event that there is a security or data breach.
Consider joining an organization like the Vendor Security Alliance.
According to Baylor, the membership fee is $10,000 per year. If your company can afford the fee, it is likely to earn most of it back from the savings it gets from access to vendor audit reports that have already been filed by the alliance and/or other member companies—because hiring an outside auditor to audit myriads of vendors and business partners is expensive. It can easily get into six figures for companies with extended supply chains and supplier networks.
SEE: How to choose and manage great tech partners (free PDF) (ZDNet/TechRepublic special report)
Consider having a vendor audit conducted on your company
For $1,200, you can have an audit done on your company that goes into the VSA database and will be available to VSA members. The investment may be worth it because you will have a clean audit report on file that others can reference—and that could mean the difference between a company doing business with yours, or not.
- Vendor Security Alliance scales up efforts, aims for faster vendor vetting (ZDNet)
- Is it time to have that confrontational meeting with a poor vendor? (ZDNet)
- UpGuard intros risk mitigation platform to boost vendor oversight (ZDNet)
- 5 best practices for managing vendor contracts at SMBs (TechRepublic)
- 5 best practices for reducing third-party vendor security risks (TechRepublic)
Mary E. Shacklett is president of Transworld Data, a technology research and market development firm. Prior to founding the company, Mary was Senior Vice President of Marketing and Technology at TCCU, Inc., a financial services firm; Vice President of Product Research and Software Development for Summit Information Systems, a computer software company; and Vice President of Strategic Planning and Technology at FSI International, a multinational manufacturing company in the semiconductor industry. Mary is a keynote speaker and has more than 1,000 articles, research studies, and technology publications in print.