Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

5 minutes with Tony Howlett - Vendor risk management needs to be a top security priority in 2021 and beyond

By Maria Henriquez
5 mins with Howlett
March 29, 2021

The recent SolarWinds breach has brought vendor risk management into the spotlight. With 59% of data breaches being traced to third-party vendors and the average enterprise having 67 vendors with privileged access, managing third party risk is no longer optional, says Tony Howlett, Chief Information Security Officer (CISO) of SecureLink. Here, we speak to Howlett about why security and risk professionals need to take control of their third-party exposure and implement safeguards and processes to reduce their vulnerability. 

 

Security: What is your background, current role and responsibilities?
I am currently the CISO of SecureLink, based in Austin, Texas. SecureLink aims to solve third-party security for businesses that need it most - making it easy for companies to connect with their suppliers and vendors, while maintaining the highest levels of security and compliance.

In my current role, I keep the corporate infrastructure of the company secure, while also making sure SecureLink’s product is secure, complies with regulatory standards, and has cutting-edge features that customers need. In terms of my broader experience, I’m a published author and speaker on various security, compliance, and technology topics. I serve as President of (ISC)2 Austin Chapter and am an Advisory Board Member of GIAC/SANS. I’m also a certified AWS Solutions Architect and hold the CISSP, GNSA certifications, and a B.B.A in Management Information Systems.



Security: Why does vendor risk management need to be a top priority for organizations in 2021 and beyond? What should this look like?

Howlett: Today the average enterprise has 67 vendors requiring access to an enterprise’s internal network. That can be thousands of users connecting. And with 59% of data breaches traced to third-party vendors, these statistics highlight that supply chain and third party risk management needs to be a top security priority for organizations. Best practices include identifying and authenticating users, controlling vendors’ level of access, and recording and auditing vendor activity:

  1. Identify and authenticate - One of the fundamental best practices for managing your vendors is: know who they are. 37% of companies are unsure of the total number of vendors accessing their networks. This is a huge part of starting up an official Vendor Risk Assessment program, where your Vendor Assessments are made and vendors are scored by risk. You’ll also want to avoid allowing generic accounts, so make sure every individual on your network is identified, and be sure to enforce Multi-Factor Authentication for your vendors.
  2. Control and access - Once vendors are property identified, the next step is to control their access using the principle of “least privilege access”. This means only giving the rights and level of access to the vendor that they require to do their job; no more, no less.  The more granular you can get with this, the better - down to specific service ports and times of access. Additionally, make sure the remote access you are providing is secure and it’s recommended to tier or group your vendors and document access policies and workflow per group. Not only should vendors not be treated like internal users, but they also shouldn’t all be treated the same.
  3. Record and audit - You will want to apply a different level of monitoring to external parties accessing your network and systems than internal employees. Ideally, you are recording specific action via screen captures or key-stroke logging, especially for privileged access.  And have regular review processes with alerts and notifications sent when certain thresholds are triggered.  All the granular logs in the world are no good if no one views them.

 

Security: How did the SolarWinds hack bring this issue into the spotlight?

Howlett: The sophistication and use of a variety of attack vectors is what makes the SolarWinds, to me, the ultimate example of a perfectly executed supply chain attack.  It is estimated that over 1000 developers worked on this malware, making it one of the largest efforts in cybercrime ever. And the sheer number of victims, including a number of large US Federal agencies handling highly sensitive information and operations like the Pentagon, Homeland Security and the State Department, not to mention major corporations such as Microsoft and Cisco that have software and hardware in almost every enterprise in the world. I predict that the SolarWinds breach will finally lead to much needed funding, reforms and possibly legislation that will force companies to more closely examine the software update process, vendor relationships and other vectors for supply chain attacks.



Security: What are other major hacks that have been traced back to third-party vendors?

Howlett: The last decade has been littered with high profile third party breaches which led up to this event. Despite these warnings, organizations (boards and upper management in particular) are still not prioritizing third party risk management. SolarWinds is another reminder to the typical enterprise or government CISO that third party access can’t be treated like internal employee access. Third parties are a clear and present danger to every organization’s security and compliance.

Target was the first mega third party breach in 2013, when 40 million customer credit card records were stolen. From there the trend continued: JP Morgan and Boston Medical in 2014. T-Mobile, Sam’s Club, Costco, CVS, Rite Aid Walmart Canada, and Tesco in 2015. Kroger, Stanford University, and Northwestern University in 2016. 2017 was a particularly bad year in terms of volume (Equifax, Verizon, Hard Rock Hotel, The RNC, Uber, Hyatt Hotels), and 2018 had some of the largest third party hacks yet (Under Armor and Marriott being the most public). These years were just getting us warmed up for SolarWinds in 2020. And this year has shown that hacking groups have not slowed down with the massive attack with Sandworm malware on French companies via network software provider Centreon and the Accellion hack that infiltrated many big customers like Kroger and the Jones Day firm via their supposed secure file transfer service.

And the year isn’t even half way over yet. Expect more.



Security: What are some lessons learned and best practices from these breaches/hacks?

Howlett: There are three key lessons:

  1. The key lesson SolarWinds has taught us is that anyone can be hacked no matter how sophisticated or big an organization is. Over 18,000 customers use the affected Orion software, with many of them considered large US Federal agencies, including Homeland Security, Commerce Department, and The Pentagon. SolarWinds is also used by 70% of Fortune 500 companies. Even FireEye, one of the top cybersecurity consulting firms, was successfully attacked.  
  2. Software often occupies a very trusted place in your network. This attack highlights the danger from third parties and particularly from trusted software that can reside on our networks and servers often without as much scrutiny as incoming emails, attachments and other outside data.
  3. Given how successful the Solar Winds breach was, it won’t be the last. Serious hacking groups like the nation state Advanced Persistent Threats (APTs) and organized crime groups (recent reports show that South American drug cartels are turning to cybercrime with the impacts to their business of drug legalization efforts and COVID restrictions on movement and border movements). To increase the impact and profitability of their efforts, these groups will increasingly look to “Hack once, breach many” by infiltrating supply chain vendors to spread their wares.  To address this growing issue, organizations must take third party risk management  seriously and tightly secure access they are granted.

CISOs need to focus on buying the right tools rather than trying to make things work with legacy or inadequate platforms to protect themselves from this kind of risk. Use of standard VPNs with no additional controls is the most common mistake. It’s a great tool for employee network access but is not appropriate for vendor users, especially ones working with privileged credentials. Additionally, having many different solutions and processes for vendor management makes it impossible to standardize across the organization and orchestrate security policy.

Essentially CISOs need to get into the mindset that vendors are not internal users. This simple axiom and the best practices that come out of it can help CISOs get on the right path to mitigating this growing and serious risk.
 

KEYWORDS: cyber security risk management supply chain third-party security

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Maria Henriquez is a former Associate Editor of Security. She covered topics including cybersecurity and physical security, risk management and more.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Cybersecurity
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Columns
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

Internal computer parts

Critical Software Vulnerabilities Rose 37% in 2024

2025 Security Benchmark banner

Events

September 29, 2025

Global Security Exchange (GSX)

 

November 17, 2025

SECURITY 500 Conference

This event is designed to provide security executives, government officials and leaders of industry with vital information on how to elevate their programs while allowing attendees to share their strategies and solutions with other security industry executives.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • 5 mins with Prout

    5 minutes with Jeremy Prout - How to protect the workforce against security risks in 2021

    See More
  • 5mw Bai Cortese

    5 minutes with Tony Bai and Joe Cortese - The future of supply chain security

    See More
  • 5 m with Shneider

    5 minutes with Tehila Shneider - Authorization policy management in the enterprise

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing