Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Third-Party Breaches Will Continue Until Morale Improves
I have some bad news for you: breaches at third parties are not going to stop – not any time soon. Various studies show that somewhere between one-third and two-thirds of all breaches have their nexus in third-party service providers. Given the decade-long outsourcing trend that is not showing any signs of slowing down, this means that your organization has a decent chance of experiencing one directly or through one of your third parties.
We have spoken at length in previous blog posts about proactive measures your organizations can take. Mainly, you can conduct risk assessments on your critical third parties to better understand which third parties might warrant extra attention in the form of improved security controls and other means. However, in this blog, I’m discussing some of the reasons why third-party breaches occur.
The infamous bank robber Willie Sutton was once asked why he robbed banks. “Because that’s where the money is,” was his reply. When any criminal is developing a plan to steal wealth, it makes sense to target locations where high concentrations of wealth reside. In many cases, that means third-party service providers, particularly those that store data of value.
Most software-as-a-service (SaaS) providers’ applications are multi-tenant. This means that data for many (and often, all) customers resides in a single database. SaaS providers implement a number of logical controls to ensure that data from one customer is not accessible to any other customer. Building these logical data segregation controls is not easy. These controls can be rather complex, and many security professionals understand the phrase, “complexity is the enemy of security,” meaning that a complex system can be difficult to secure, and it can be difficult to maintain that security over time.
Third-party service providers are organizations separate from your own. They have their own mission, culture and values. Their loyalty is different too. As much as they will say that they are client-focused, customer-focused or that customers come first, we all know that the implicit mission of any organization is its survival and growth. This means that the organizations that store your sensitive and critical information are first loyal to their own organizations. Any residual loyalty will be towards their customers.
Measuring trustworthiness is subjective and not straightforward. The best that one can do is obtain some customer references to see how well they execute on their customer loyalty and service, then monitor the relationship for changes.
Some of the SaaS applications used today are developed and operated by relatively small and young organizations. Others are part of a trusted major firm’s portfolio, but came to being as acquisitions of smaller organizations. Key stakeholders in any organization’s third-party risk program need to be familiar with their third-party vendor portfolio, including knowledge of each vendor’s financial health and origins, as well as the effectiveness of their controls.
As many security professionals can attest, younger and smaller organizations tend to have immature security programs with very limited capabilities. Cyber criminals know this as well, and exploit weaknesses in smaller service providers’ weaker defenses.
Many of these smaller service providers also have limited means for knowing when a breach has occurred, as well as limited incident response capabilities. Many lack central logging and 24/7 monitoring, and their staff may have limited experience with security incident response.
These factors make it especially important for security managers to conduct detailed due diligence on their SaaS providers, including detailed questionnaires on their IT controls, as well as validation of the most important controls. The steps to an effective third-party management program are:
These are just the first steps, and there’s a lot more detail involved in building out a comprehensive third-party risk management program.
(Related note: With IoT devices, a vendor should be committed to baking-in security, and maintaining a product after release. It should be a concern if a vendor tends to never patch or update their legacy portfolio. Security is essential in each vendor’s software development life cycle (SDLC).)
September 12, 2017
Learn how to build a solid foundation for your third-party risk program.
Let us know what you need, and we will have an Optiv professional contact you shortly.