Are You Asking the Right Questions to Your Security Partners?
The recent Okta security breach is another example of companies founded on the vision of providing cybersecurity solutions, not necessarily being immune to attacks. It also shows the devastation that a cyber incident can have when targeted toward a cybersecurity software vendor, consultant, or managed security service provider (MSSP) due to the deep access and information they manage for their many clients.
In this case, Okta is one of the top identity and access management solutions providers with thousands of clients globally. At least 366 may have been compromised from the incident, which was worsened by the fact that Okta took weeks before even notifying those clients of the event.
These circumstances exploit a few key concerns your business needs to acknowledge — the security and transparency of your cybersecurity partners and how a breach on them could affect your organization. It’s vital to spot red flags early in the buying process and before you become a customer or client so that you don’t become a victim of something out of your control.
So in light of the recent events and the likelihood that more will come, what questions should you be asking before partnering with a cybersecurity product or service provider, and what are some resources you can use to help evaluate vendors, security partners, consultants, and MSSPs?
Essential Questions You Should Be Asking Security Partners
Pricing, product features, services, and overall experience are top attributes for most buying decisions. However, purchases in the cybersecurity realm need to be coupled with an evaluation of the provider’s organization, process, culture, and security, as those could be factors in whether or not they are breached. Creating and implementing a vendor risk assessment for your business should be an essential component to your security posture. Here are some of the critical questions you should be asking yourself before selecting a partner:
Are they subcontracting services out to or working with another Security Partners?
It’s not uncommon for a provider to subcontract certain services out to another business as part of their process. For instance, a cybersecurity software vendor might use a third-party service to handle installation and training rather than in-house. You may have no idea this is occurring because they only indicated it briefly in the terms of the agreement.
By bringing a third party into the picture, you’re adding more risk to your organization with another group that has access to your information and systems and creating additional ports of entry for cybercriminals. You’ll want to make sure you fully understand every party involved in the process of implementing your solution and ensure that those third parties are engaging in proper security hygiene.
What governance and security solutions are in place to ensure the security of their systems, people, and clients?
You want to decipher whether or not the provider has a robust, comprehensive, and holistic cybersecurity program. This includes utilizing up-to-date security technology AND strong administrative policies and procedures to prevent an incident and quickly remediate one in the worst-case scenario.
Additionally, does this partner have high-level system visibility to detect obscure events that could be threatening, and do they have a system in place for identifying risks and vulnerabilities? Lastly, are they in compliance with any industry, legal, or regulatory requirements that would apply to them for their product or services such as HIPAA or PCI?
Do they practice what they preach?
This is a huge question to ask in which the answer would prove just how committed they are to their own vision. So often, you hear about life insurance agents who don’t carry life insurance or software vendors who don’t even use their software — these are RED FLAGS, especially in cybersecurity.
Suppose an email-security software vendor, for instance, doesn’t even use their tool. In that case, it either means the tool isn’t designed well enough that they like using it or that they don’t actually prioritize email security. Alternatively, a consultant who advocates for the Zero Trust Framework and doesn’t follow its main principles means they don’t honestly believe it’s a good enough framework to construct their program.
Have they ever had an incident?
This is a very fair question that often goes unasked. Incidents can range from accidentally emailing a sensitive file to the wrong person all the way to an entire database of client credit card info being stolen. Regardless of the size and scope, you still want to know if one ever occurred as well as how that company responded to it. There’s a good chance that if they’ve had a breach and responded poorly to it, it will happen again.
What is their work culture like?
This last question may seem odd and out of place, but there is merit to it. More often than not, it is an organization with a toxic workplace that ends up falling victim to a cyber attack. When the employees hate their job or managers, they’re more likely to be careless and negligent — leaving room for the chance of a breach caused by human error.
Some specific information you want to find out about their culture is if the business is growing and if the employees such as the vendor sales rep you’re speaking with constantly feel validated. You also want to gain some insights on employee turnover as it’s the best measuring tool for an unhealthy work culture.
Resources to Evaluate Vendor Security Partners
In addition to asking questions related to vendor or partner security, you should use an external source for further evaluation or to confirm information. BitSight for Third-Party Risk Management is a terrific resource to help you make purchase decisions on cybersecurity vendors, consultants, and MSSPs based on their cyber risk. It validates security controls and does continuous monitoring to ensure third and fourth-party providers are constantly mitigating risk.
There’s also SecurityScorecard which offers a third-party risk management product that focuses on reducing your vendor risk by evaluating your system in relation to potential partners. Each of these tools are excellent methods to making a purchase decision around the security posture of partners you might do business with.
Manage Your Vendor Risk with Ascension Global Technology
Make certain that you only work with top-quality vendors by partnering with Ascension Global Technology. Our deep vetting process ensures we only partner with top-of-the-line providers and protects our clients from third-party and supply chain cybersecurity risks. Contact us today to get started and be sure to check out our blog for news and insights on all things cybersecurity.