In the business world that we live in today, we have become
much more dependent upon other external, third parties to help us get our
products and services out on time to our customers. Gone are the days when everything would be
done in house, and really, it is the digital transformation that is happening
upon us which has thrusted us into this new way of doing business.
Also, gone are the days when you could simply hire another
business. Given how the Cybersecurity
threat landscape has evolved today, one has to be extremely careful when
trusting somebody else to your processes and operations. In fact, this is a huge topic in the Cyber
world, and I have even written a few articles about it.
Obviously, you want to scrutinize very carefully with whom
you could be potentially working with, but at the same time you don’t want to
grill them to the point where they get turned off and simply don’t want to do
business with you because of the aggressive stances that you are taking. There is a kinder, and gentler way to build
up those all-important business relationships, and here are a few pointers:
*Hit upon the key components:
When you are vetting out a potential, third party with whom
you are interested in working with, there is the strong temptation to give them
the proverbial 3rd degree.
But stay away from that. There
will be a time and place when you will be doing a deeper dive into the way they
conduct business, especially from the standpoint of Cybersecurity. But first, as the title of this subsection
implies, focus upon the important things first.
This means getting to know the people at this third party with whom you
will be potentially dealing with and understand how they do business with
others. But most importantly, engage
conversations with those people who will be handling and processing your
confidential data, especially when it comes the Personal Identifiable
Information (PII) datasets. You need to
feel comfortable working with them, and they need to feel likewise with
you. Once you have some sort of
connections established, then you can do that deeper dive into how they conduct
their Cyber practices, and more importantly, what steps they will take to help
safeguard your information and data that you will be entrusting them with.
*You are not alone in this process:
Very often, business owners, especially the SMB ones, tend
to feel uncomfortable at first when trying to interview those external, third
parties that they want to work with. This
is perfectly understandable, and keep in mind, you can get help with this. For example, as you engage with
conversations, you can have your attorney present, or even have other members
of your IT Security team present with you as well. Or you can even create a
special advisory board and they can be present as well. In hindsight, this is probably the better
approach to take, as two (or more heads) are better than one in order to gauge
how a potential relationship could possibly work.
*Get a holistic picture of what their infrastructure
looks like:
To be honest, the word of Cybersecurity has become extremely
complex, and in fact, a very difficult one to deal with. This is not only triggered by the threat
variants that are bombarding businesses on a daily basis, but also now one has
to deal with all of the nuances of the data privacy laws such as that of the
GDPR and the CCPA. If you are not
compliant, you could face some very serious audits and penalties in the
process. But to make matters even worst,
if you hire an external, third party and if they are hit by a security
breach that has impacted your PII datasets, you will be held responsible, not
them. So in this regard,
once your connections have been solidified enough, you will need to do that
deeper dive into what their IT and Network Infrastructures look like. But yet once again, you need to take a soft
and gentle approach into this as well.
After all, you will now be probing into them, and there could
be reservations even here as well.
So what are some of the steps that you can take? Well, one approach would is to use the
survey, or questionnaire approach.
Obviously, coming up with something like this from scratch is an
extremely difficult task, but there are options out there. For example, you have what is known as the
Cloud Control Matrix, aka CCG. This a
template that you can use to judge just how secure the Cloud based environment
is of your potential, third party vendor, especially if you they are going to
store your stuff in there. The link to
this is:
https://cloudsecurityalliance.org/research/cloud-controls-matrix/
The other is the Standard Information Gathering template,
aka SIG. This template is broken down
into different questionnaire sections which include the following:
*Data storage and encryption;
*IAM;
*Cyber controls;
*Procedures for Incident Response/Disaster Recovery/Business
Continuity.
The link for this is:
https://sharedassessments.org/sig/
My Thoughts On This:
So here are some quick tips that you can use to make the
vetting process a much friendlier one.
You should avoid taking a hardline stance at all times, because if
something goes wrong, you and your third-party vendor will have to work hand in
hand together. By taking the softer and
gentler approach, they will in the end be much more conducive to work with
you.
Just like anything else in business, its all about building
those relationships, and the even when it comes to vetting out new partners
that you need to work with.
No comments:
Post a Comment