Hallawell, research vice president, information security and risk, at the Stamford, Conn.-based consultancy, offered advice for how to build a better and cheaper third-party security program at the Gartner Risk Management and Compliance Summit in Chicago last week.
A governance problem: Security comes after the fact
Third-party risk evaluation is time consuming, according to Gartner data. Most companies report spending more than 3,000 hours per year assessing the security controls of their suppliers, vendors and business partners.
Part of the reason for all those hours is that companies tend to treat all vendors equally. But probably the bigger factor is that vetting security tends to be done after the contract is signed.
The person or team in charge of security needs to be involved in third-party negotiations early on, Hallawell said. But, ironically, security is often perceived as a threat by the sourcing team. Better to leave security in the dark than risk stalling the contract or making the deal more expensive.
That strategy is shortsighted. Audit and regulatory mandates are shifting to the security team. Unless companies lay out stringent security requirements in their contracts and use them as key evaluation criteria, they could end up paying for security problems, big time, Hallawell said.
The following are five practical tips from Hallawell for vetting security programs of third-party partners:
1. Bake the costs of the partner risk assessment into the sourcing analysis. Then if more controls/tools are required, get more money from the business unit. Often, IT is asked to vet the security controls of third parties without any funds, and Gartner client data shows that evaluation can cost from 4% to 11% of the base cost of a deal. For example, cross-cultural training sessions to educate vendors and partners on the company's security policies and practices can cost $50,000 per session, according to respondents in the Gartner survey. Multiple trips to India for the security team? $150,000.
In addition to obvious costs, such as trips to the host country in the case of offshore providers, there may also be fees for international legal specialists, regulatory compliance, asset management and so on.
2. Develop a security and control strategy for each line of service. For application production and support, security concerns include privacy of sensitive data and cross-border access to live production data. For app development, the biggies include IP exposure, "backdoors" in code and the leakage of corporate domain knowledge. Availability, privacy and discovery practices are big issues in Software as a Service (SaaS) contracts.
4. Have your IT security team (or person) develop an evaluation program that ensures a consistent approach to all SaaS/cloud relationships. Security and integration issues abound in any hosting relationship. Something like directory integration, in particular, can lead to disputes because it can be handled in so many ways. A host can join the corporate Active Directory or create an "external resource forest" or host the entire directory. The roles and responsibilities required of each approach need to be spelled out before the contract is signed.
Some security requirements that should apply to all SaaS contracts? Companies need reassurance that a breach in one customer's environment will not pose a risk to them. They should request that Simple Mail Transfer Protocol email relays use Transport Layer Security when possible, for beefed-up over-the wire security.
5. Set a formal process for integrating security and privacy into your vendor management program. Tier your suppliers according to business risk and criticality of the relationship. Work with legal and procurement to ensure security language goes into every contract. Some companies even require security sign-off on every deal.
Let us know what you think about the story; email: Linda Tucci, Senior News Writer