As if all the risks associated with protecting an organization’s physical and digital assets weren’t challenging enough for CSOs and CISOs, new trends are making them far worse. Multiple times in the past year this issue came up. Once aware of the issue, multiple other incidents were discovered. All this combines to make another extremely challenging security situation for CSOs and CISOs.
Business units, functional departments and other divisional entities within the organization are going outside and funding their own initiatives. Many times these initiatives involve data and systems that are not just outside the organization, but totally unknown to the IT department and the offices of the CSO and CISO. Many of these services are cloud based with a substantial amount of data (some sensitive - proprietary, confidential, PII and PHI) collected, stored, and used in and by the cloud applications/services.
Top 3 questions the CSOs and CISOs must work quickly to answer and respond to appropriately.
- Has any of these outside services been breached resulting in the theft of data?
- Are these outside services compliant with the requirements of your organization?
- Are these outside services and data properly protected from physical and cyber threats?
Example: An organization contacted me and told me that they had detected a third-party operating an online service that appeared to be performing a service in their name. A check with purchasing could not find any purchase of such services by the organization. Given that fact, the legal and security departments worked together and decided to contact law enforcement before contacting the outside service provider. As the situation progress it was determined that an internal department had contracted with the third-party services provider. Given the fees were small, the service provider had been paid out of their general budget and did not involve regular procurement, IT or security. Given the third-party service provider was outside of their industry, they were unfamiliar with some of the unique regulations that were required by the organization using their services. So, there was no way they were compliant. It is unclear if the organization was permitted to examine their systems to see if a breach of the data the organization collected, processed and stored had been compromised. Perhaps the most interesting aspect of this example was that the use of the outside service was discovered by a simple Google search of the organization’s name. Basically, there were no policies, procedures or rules that prohibited the business unit from doing this.
I am sure that you can see the risks associated with this example. Many believe that data breaches by vendors and their-party service providers are more-costly than in-house occurrences. In addition, many IT departments and security departments feel that managing regulatory compliance and data risks are much more problematic. Many IT and security departments have expressed supply-chain (vendor) concerns. That being said, these unknown systems fall outside of their efforts to address that issue.
Stat: One survey found that 23 percent of those asked were not concerned about third-party risks at all.
As a security professional this is an issue that requires your attention. Policies must be crafted, put in place and properly communicated to get control over the unknown use of third-party that involve systems and data. It is recommended that a manager level and above annual survey be conducted asking if they have contracted with any third-party services provider. Heavy wordsmithing is needed so that they understand what you mean by third-party and what you are looking for and equally and important why. If nothing else, at least annually conduct and online search using your organization’s name and name that may be used by operational units and divisions to see if you can detect any third-party services under your organizations name or names. How hard is that?
Kevin Coleman is a dynamic speaker, author, advisor, and visionary with Independent Software. He provides riveting insight on strategy, innovation, high velocity technologies and the issues an opportunities they present. He was Chief Strategist at Internet icon Netscape and at another startup that grew to be BusinessWeek’s 44th fastest growing company. He has spoken at some of the world’s most prestigious organizations, including the United Nations, the U.S. Congress, at U.S. Strategic Command, and before multiple Fortune 500 organizations and briefed executives in 42 countries around the world.