Partner risk: Worrying about and being the risk
- Posted on June 4, 2021
- Estimated reading time 4 minutes
Supply chain risk is all the rage now thanks to recent attacks, and I’ve spoken for years about the risks that 3rd parties and vendors could pose. In a similar boat your business may own other businesses that are not fully integrated (i.e. subsidiaries) and you worry about them, just as one may worry about a new acquisition or divesture from the M&A team.
What this comes down to is what I’m going to call “Partner Risk.” While these situations are each unique in some way, at the core the same thing is and should be happening: You want to know if you are at risk because they are, or more accurately - how much risk they are bringing.
You may have a systems acquisition process that involves Information Security looking at stuff before it’s bought and turned on, but does everyone follow that? Are there controls in place to identify if someone doesn’t? As a partner, its likely you will have received a request to answer 100s of questions about your security posture so that your customer will continue to be your customer, and its likely this has driven some new controls and policies you’ve had to put in place in the name of revenue. Some may even require an external audit or costly certification.
There are two sides to this, you worrying about the risk and you being the risk. At any given time, you could be filling either (or both) shoes at the same time. Let’s talk about you being the worrier first…The obvious ones here like Target and Solarwinds show just how impactful a gap in your partner risk governance program can be. There are even more subtle issues to consider. Does your ecosystem allow for people to be able to procure systems/vendors without the involvement or sign off from the CISO office? Are all of your compliance requirements laid out when a new partner is considered and are there checks and balances to ensure it happens? If not, do you have a way to identify if someone has spun up a new system, or let a new HVAC company install technology on the network? Has anyone evaluated that partner’s security state? Has that small business who custom made that new SaaS application done a pentest, do they know what secure code is? Do they have your regulatory requirements?
Now, do you have asset management in place so there are owners of these partners and their data flows? Do you have people and processes to manage this compliance? Do you have a framework that your partners need to adhere to? Is it in their contract, what if they sign it and are in violation? What if they are the reason you get breached - is that covered in there? What is their relative risk, are you lumping all your vendors into one big questionnaire and requirements? Is that the best way to manage them?
Now that you have thought about all the bad things that could happen to your business if your partners are lacking, put the shoe on the other foot… how many contracts have you signed with requirements for security you cannot meet. How are you managing your compliance programs, are you doing just the bare minimum to meet requirements, do your contracts drive your security programs? In short, they shouldn’t and by only being reactive to partners, you’re doing yourself a disservice and probably wasting money and the opportunity to do things efficiently. What will happen to your business if you are the reason for a breach?
Consider all of these factors when addressing partner risk. Use the opportunity of these partnerships to improve security holistically if you can. Identify these challenges long term as part of your strategy, and if you’re unsure of what to do or need more guidance, engage a trusted advisor to help.