How can you manage and mitigate the risk that your suppliers – and your suppliers' suppliers – pose to the integrity of your organisation's information assets?
That was the question posed to a panel of practitioners and experts on the third day of InfoSecurity Europe 2016. The panel was chaired by Mike St John-Green, principal analyst and technical advisor at the Information Security Forum.
He started with a question that bordered on the existential: Why are we here? Simply put, in the drive to make themselves more efficient, organisations are focusing on what they are best at and outsourcing the rest.
“This means that our information is being shared with an increasingly complex supply chain, creating a much wider attack surface,” he said. “To the degree that this information resides in multiple locations including the cloud, what are we going to do about it?”
More significant than the issue of where the data is stored is the issue of how many people and supplier organisations potentially have access to it.
“To understand the threats both internal and external, we must remember the insider threat within the supply chain,” he said. “You now have a very large population of people who are effectively privileged insiders.”
He turned first to Will Harvey, deputy director of security and information at HMRC, who said: “Can we understand what is being outsourced and what it means for us? We are moving from being rigid and rote like with process to accommodating more flexible approaches to security. Rather than just say this is the standard, we look at what certifications they have and what that might not cover and how we can work with them.”
Another member of the panel was Arnaud Wiehe, CISO at TNT Express, who commented: “There is notion you can outsource work and the most productive way to look at it is to use a third party as an extension of your own team. But the question is, how to manage that relationship from start to finish?”
He emphasised that all relationships need to be worked at, and he offered some practical advice. “In many ways it's like a marriage, in that there will be good times and bad times. When times are good things are easy – when things start to go wrong that's when it's tested. In order to be prepared for the bad times, you should know all of your suppliers by name and be able to contact them at a drop of a hat,” Wiehe said.
Mark Jones, CISO at Allen & Overy, wanted to challenge the notion that compliance was just a tickbox exercise with little bearing on real risk management. “Compliance is not a different space. It fills an important need in having your supply chain say where they are and what they are going to do,” he said.
“To get more of the risk angle, you need to build relationships that allow you to qualitatively assess the supplier relationships. It's about getting a good balance between what they say and a more deep dive qualitative assessment,” he said. “Getting it right will give you a very good picture of what's going on.”
Steve Williamson, director of governance, risk and compliance at GlaxoSmithKline, focused on cloud risk. “We are a big user of software-as-a-service but when you go to the cloud it introduces risk of password theft for instance.”
However, Williamson added: “There is an increased maturity in cloud services now and they are using security as a differentiator. Five or six years ago that wasn't the case. Cloud services need to be leaders in security.”
Daniele Catteddu, CTO at the Cloud Security Alliance, made a plea for greater transparency. “It should be two directional, but even from the point of view of the supplier there is a need to be more transparent so customers can do a better risk assessment,” he said.
Cattedu also called for focus on qualitative assessments, although, he added: “But that might be a danger in the long run as we will see more complexity in it, with coming of IoT. The only way we will be able to monitor and enforce security is through automation.”
Following an extensive Q&A session, St John-Green wrapped up with a few takeaways:
- Watch out for suppliers you didn't know you had
- Relationship management is vital
- Test your suppliers' security, not their reporting
- Know when to demand compliance and when to use risk management
- Understand your responsibilities when you purchase cloud services