Wednesday, September 15, 2021

How To Take A Kindler, Gentler Approach When Vetting Out Cyber Vendors

 


In the business world that we live in today, we have become much more dependent upon other external, third parties to help us get our products and services out on time to our customers.  Gone are the days when everything would be done in house, and really, it is the digital transformation that is happening upon us which has thrusted us into this new way of doing business.

Also, gone are the days when you could simply hire another business.  Given how the Cybersecurity threat landscape has evolved today, one has to be extremely careful when trusting somebody else to your processes and operations.  In fact, this is a huge topic in the Cyber world, and I have even written a few articles about it.

Obviously, you want to scrutinize very carefully with whom you could be potentially working with, but at the same time you don’t want to grill them to the point where they get turned off and simply don’t want to do business with you because of the aggressive stances that you are taking.  There is a kinder, and gentler way to build up those all-important business relationships, and here are a few pointers:

*Hit upon the key components:

When you are vetting out a potential, third party with whom you are interested in working with, there is the strong temptation to give them the proverbial 3rd degree.  But stay away from that.  There will be a time and place when you will be doing a deeper dive into the way they conduct business, especially from the standpoint of Cybersecurity.  But first, as the title of this subsection implies, focus upon the important things first.  This means getting to know the people at this third party with whom you will be potentially dealing with and understand how they do business with others.  But most importantly, engage conversations with those people who will be handling and processing your confidential data, especially when it comes the Personal Identifiable Information (PII) datasets.  You need to feel comfortable working with them, and they need to feel likewise with you.  Once you have some sort of connections established, then you can do that deeper dive into how they conduct their Cyber practices, and more importantly, what steps they will take to help safeguard your information and data that you will be entrusting them with. 

*You are not alone in this process:

Very often, business owners, especially the SMB ones, tend to feel uncomfortable at first when trying to interview those external, third parties that they want to work with.  This is perfectly understandable, and keep in mind, you can get help with this.  For example, as you engage with conversations, you can have your attorney present, or even have other members of your IT Security team present with you as well. Or you can even create a special advisory board and they can be present as well.  In hindsight, this is probably the better approach to take, as two (or more heads) are better than one in order to gauge how a potential relationship could possibly work. 

*Get a holistic picture of what their infrastructure looks like:

To be honest, the word of Cybersecurity has become extremely complex, and in fact, a very difficult one to deal with.  This is not only triggered by the threat variants that are bombarding businesses on a daily basis, but also now one has to deal with all of the nuances of the data privacy laws such as that of the GDPR and the CCPA.  If you are not compliant, you could face some very serious audits and penalties in the process.  But to make matters even worst, if you hire an external, third party and if they are hit by a security breach that has impacted your PII datasets, you will be held responsible, not them.  So in this regard, once your connections have been solidified enough, you will need to do that deeper dive into what their IT and Network Infrastructures look like.  But yet once again, you need to take a soft and gentle approach into this as well.  After all, you will now be probing into them, and there could be reservations even here as well.  So what are some of the steps that you can take?  Well, one approach would is to use the survey, or questionnaire approach.  Obviously, coming up with something like this from scratch is an extremely difficult task, but there are options out there.  For example, you have what is known as the Cloud Control Matrix, aka CCG.  This a template that you can use to judge just how secure the Cloud based environment is of your potential, third party vendor, especially if you they are going to store your stuff in there.  The link to this is:

https://cloudsecurityalliance.org/research/cloud-controls-matrix/

The other is the Standard Information Gathering template, aka SIG.  This template is broken down into different questionnaire sections which include the following:

*Data storage and encryption;

*IAM;

*Cyber controls;

*Procedures for Incident Response/Disaster Recovery/Business Continuity.

The link for this is:

https://sharedassessments.org/sig/

My Thoughts On This:

So here are some quick tips that you can use to make the vetting process a much friendlier one.  You should avoid taking a hardline stance at all times, because if something goes wrong, you and your third-party vendor will have to work hand in hand together.  By taking the softer and gentler approach, they will in the end be much more conducive to work with you. 

Just like anything else in business, its all about building those relationships, and the even when it comes to vetting out new partners that you need to work with.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...