Managing security in your digital supply chain with Security Scorecard
05/08/19 – Author: Andy Gibbs – Certified SecurityScorecard Consultant
Advances in technology are increasingly allowing organisations to consume IT infrastructure and applications software ‘as-a-service’ rather than buy and run these in-house. This has significant financial and operational benefits but has also created a level of supply-chain intimacy that creates some security management challenges. For a while now, there has been a recognition that the Chief Security Officer’s responsibility can no longer stop at the boundaries of their own organisation but is increasingly extending into the supply chain and partner networks. And it is no accident that when the international security standard ISO 27001 was republished in 2015, areas relating to supply chain management had been significantly beefed up.
Security management is much more of a challenge, now that the boundaries blur well beyond the perimeter of your own organisation into your third-party suppliers, and beyond that into their supply chain. Once you’ve signed up a new digital services provider, you’ve not only bought into the product but also implicitly into the organisation that sits behind it, including their staff, working practices and security risk profile that goes with it. Their data breach is potentially your data breach.
So, validating the security posture of your key digital services providers is crucial during the vendor onboarding process. But it doesn’t end there – this is not a one-off exercise. Your supplier’s threat landscape will be continually changing (as does yours) during the service delivery lifecycle, so continual vigilance is important.
But who maintains that watching brief? and how is this done in practice? For many organisations this is a very grey area. Often, the role will fall to a vendor management or procurement team who are poorly equipped, do not have the technical expertise and are often under-resourced to fulfil this important task competently. The traditional approach of using Supplier Evaluation Questionnaires backed up by vendor audit visits just doesn’t work for many reasons – its labour intensive, time consuming and only captures the vendor’s security posture at a single point in time. It relies on truthful, honest and full disclosure by the vendor at a time when, under competitive pressure to win business, their motivation may be compromised.
So, what are the elements of a contemporary digital supplier management programme?
Share responsibility for security
Firstly, a fundamental mind-shift away from the ‘us-and-them’, ‘challenge-and-response’ approach is needed, taking a much more collaborative style – we all win or lose together. The more enlightened cloud hosting vendors such as Amazon Web Services (AWS) are now adopting this approach. AWS actively encourages its customers to follow a Shared Security Responsibility Model which defines who has responsibility for the various elements of security at each point in the technology ‘stack’, and provides basic tooling and processes such as the Well Architected Review, so that customer and supplier can collaboratively validate how well they are meeting each other’s security expectations.
Look for evidence of a built-in approach to security
When choosing hosting vendors, look for those who understand the importance of delivering security as a part of their service offering – built-in, not bolted on. Look for compliance with secure hosting and data management credentials such as ISO 27017 (cloud security standard) and ISO 27018 (data protection and privacy in the cloud) in addition to ISO 27001 (security management).
Put in place a collaborative supply chain management programme that allows you and your vendors to rate your combined outward facing security posture, share any threats and vulnerabilities and jointly confirm action to mitigate or eliminate these. Tools such as Security Scorecard have an important role to play here.
Security Scorecard provides a simple evidence-based way of assessing the security posture of your key digital services suppliers. It generates a normalised score for each supplier by gathering inputs from various intelligence sources, including unintrusively monitoring your suppliers’ online security posture. Each supplier is given a rating in the range A – F, with A being excellent and F being a ‘fail’. Any vulnerabilities found are correlated with threat intelligence data to identify the degree to which your organisation may be exposed. For each type of vulnerability found, a technical critique is provided, along with helpful suggestions for remedial action. This allows you to have a more meaningful discussion with your supplier, helping them to better understand the basis of your concerns and help them resolve any issues promptly.
In fact, using Security Scorecard, you can encourage your supplier to track their own rating, directly access their own technical critiques and monitor improvements in their score with you. And you remain in control . . . you will receive regular alerts from Security Scorecard informing you when suppliers’ scores have improved or deteriorated, allowing you to respond to changes in your supplier threat landscape as they happen. Trend data is kept, allowing you to track improvement or deterioration in suppliers’ security ratings over time.
This approach correctly moves the emphasis back onto the supplier for managing their own security posture, while providing you with oversight needed to maintain good governance. This self-managing approach frees your valuable procurement, security and IT teams to manage vendor issues by exception rather than having to support a programme of supplier assessment questionnaires and audits.
Integrate supplier security management with in-house operations and security management
You may already have in place a tool like Splunk at the heart of your security and network operations. Security Scorecard integrates with SIEM tools such as Splunk to provide you with a holistic view of your entire security landscape, including threats and vulnerabilities due to upstream suppliers. The Security Scorecard add-on allows customers the ability to monitor three components of the Security Scorecard platform: the overall letter-grade security ratings, underlying factor data in key risk categories, and issue-related data. The combination of Security Scorecard’s easy to understand scores and grades with Splunk’s ability to search, visualise and report will enable customers to monitor for changes in cybersecurity risk for themselves and their 3rd parties.
Not sure how to contact us?
Schedule a call with one of our certified engineers and pre sales team. Or drop us a line if you have any questions.