Supplier Risk - Are we leaving the back door open?
02/12/19 - Andy Gibbs | Certified SecurityScorecard Consultant
For some time now we’ve understood the need to protect our in-house IT systems and data. So, we’ve installed firewalls, antivirus, spam filtering, advanced threat detection etc and plugged them into a SIEM tool to provide a holistic view of our threat landscape. We’ve encrypted information in transit and at rest and parsed data for vulnerabilities. Great – so we’ve firmly bolted the front door, but have we left the back door open? We are consuming more and more of our IT services from the cloud, creating a level of supply-chain intimacy that brings with it some security management challenges. Our security threat landscape now extends well into our digital supplier base, over which we have much less direct control.
With 70% of breaches reportedly being attributable to poor 3rd party security, it’s no surprise that standards bodies and regulators are putting our supplier management practices under increased scrutiny. The most recent republication of ISO 27001 significantly strengthened the need to manage security in the supply chain, and recent GDPR legislation has reminded us of our ultimate responsibility for the shortcomings of our suppliers when we outsource processing of personal data to them.
So, how do we ensure that the vital digital assets we’ve entrusted to our supply-base are in good hands?
The traditional approach – to cast a multi-page security questionnaire at suppliers during the onboarding process and looking to see what comes back – is simply flawed. At best it will reveal a security profile that is just a snapshot in time. At worst, it will be evasive, non-specific, highly aspirational and possibly even deceptive. After all, why would any supplier bidding for your digital business want to give you anything but a glowing report on their security measures?
So, wouldn’t it be great if there were a fast and simple truly evidence-based way of assessing the security posture of your key digital services suppliers – one that uses a consistent scoring methodology?
A new breed of supplier security management tools have appeared on the market that do just that. One such tool is Security ScoreCard. It allows you to establish a baseline score for each of your digital suppliers and track their changing threat profile in near real-time, with daily alerts to let you know if there have been any significant changes – good or bad.
Security Scorecard supports full collaboration with your suppliers rather than the arms-length approach traditionally adopted when using questionnaires and audits. By invitation, your supplier can interactively participate in your digital supplier review programme. Security Scorecard will provide your supplier with a critique, supported with technical guidance on areas of improvement that can be made. In this way they can manage their own threat-assessment, allowing them to drive their security improvement programme without excessive oversight from you. And you are kept informed on a daily basis as their risk profile improves or deteriorates without having to chase them for progress reports and updates.
Security Scorecard provides simple-to-understand on-screen reports and charts, allowing you to monitor supplier performance over time and compare this with their industry sector averages and trends. These visualisations are great when selecting suppliers, for benchmarking competitors against each other and comparing them with industry norms.
Would you like to learn more?
Register for one of our webinars on SecurityScorecard, or drop us a line if you have any questions.