At ISC2’s annual SECURE London event, Deborah Saffer, director of information security for Liberty Specialty Markets gave an insight into how we can establish a level of confidence in our suppliers and other organizations we deal with.
Disclaimer: The views and opinions expressed in this article belong solely to the author and do not necessarily reflect those of ISC2.
In her talk “Trust But Verify: The Art and Science of Third-Party Due Diligence,” Saffer was frank from the start that cybersecurity due diligence can be a fairly uninteresting subject, but was similarly clear that this does not mean it is unimportant: “In cybersecurity,” she said, “your organization is only as strong as the most irresponsible vendor in your supply chain.” Saffer continued: “In a world where it is increasingly complex … where not only do we have to worry about third, fourth, fifth, sixth, seventh and eighth party vendors, all we need is one tiny startup that powers the one API your entire business depends on [to get attacked]: doing the due diligence is no longer optional, it is actually survival.” Saffer was clear that we buy more than software and services: we buy all the supplier’s security, operational procedures and ability (or lack of ability) to respond to incidents.
Saffer was very clear that “security due diligence is not just a checklist and audits,” it has to be done thoughtfully, properly and thoroughly. Interpreting what third parties tell you is a key art to perfect, for example, because: “the most useful part of the due diligence process is not what is said – it is what isn't said”.
Vendors often claim to be compliant with one or other standard, for example, but are not independently audited and so the value is minimal. Sometimes the responses to requests for information feel too quick to have been done properly. In one case Saffer cited, the SOC 2 report a vendor produced was not even their own. “I don't actually know what was worse,” she said, “the mistake or their absolute confidence that they thought they could get away with it”.
The Art of Handling a Situation
Diplomacy is also an essential quality when speaking with vendors, as “no-one wants to be told they made a poor decision”. Vendors will often leave out essential information, noted Saffer, so we need to be firm while asking in a way that they feel comfortable telling us.
Vendor due diligence is not just an art, of course: there is science behind it too. The primary tool in this respect is frameworks – ISO 27001, NIST SP 800-53, etc. The problem is that third parties do not want to share any more information than they absolutely must, because if the customer is any good, they will keep digging for the truth. As Saffer put it: “[Frameworks] give us an objective view and they are independently auditable controls of that vendor, and it’s not just a tick box – we know that those controls are tested”.
The next point made was that a risk-based approach is essential since not all vendors are equal but there is a tangible – significant, even – cost to carrying out all that research. Low-risk vendors generally need a low level of due diligence, while high-risk ones can warrant a highly in-depth due diligence exercise. Saffer likened the concept to buying a car: “If you think about buying a second hand car for maybe, I don't know, £1,500, £2,000, you are not going to then spend £500 to secure it, because it's totally disproportionate to the value of that car. But if you're fortunate enough to have £1.2million to spend on a Lamborghini, you will think nothing of spending £50,000 to protect it, because that is totally proportionate”.
Controls verification was cited as another key factor. Saffer’s view was that third parties with decent cybersecurity regimes will have between 20 and 30 core controls: “If you make sure that those 20 or 30 ‘Cyber 101’ controls are good and they are effective, you will probably be … in a defendable position with any of the regulators around the world.” It is important to verify the operation of those controls, though, not just to accept that the third party has them. The presenter gave an example: “You ask the vendor how they do MFA, then all of a sudden you realize that they're just sending a code via a Gmail account”, she said, musing: “Actually, is that good enough for your data?” Saffer then extended the point to remind us that continuous monitoring is also obligatory: how many times do we onboard a vendor and then just forget about them, she asked.
So, what happens when the art and the science meet? Saffer was clear: “The art identifies the questions, the science validates the answers. The art builds the relationships, the science ensures the relationships are secure,” she said.
Due Diligence Challenges
Saffer was keen to remind the audience that there are plenty of pitfalls in due diligence. ISO and SOC reports do not magically repel malware, for example, and Saffer pointed out that many of us have a tendency to over-trust mature vendors. We usually do not have the manpower to analyze properly all the responses we get from vendors, and there is every chance that the vendors lack the time to do an absolutely thorough job of providing answers. It is also easy to forget that the answers on a cybersecurity questionnaire may be correct at a point in time but will become less so over time. There was a wry comparison: “Remember, they [vendors] are like teenagers. If you want the truth, you have to ask very specific questions and then verify the answers”.
So, where did Saffer see due diligence going in the future?
First, it will be more complex and interconnected. “We are entering a world with AI-driven supply chains, fourth, fifth, sixth, seventh, eighth party vendor dependencies, automated risk scoring, real time monitoring, integrated trust platforms,” said Saffer. Next, vendors will wake up and realize that it is just as valid for our suppliers to be carrying out due diligence on us as it is for us to do it to them: “At some point, I'm expecting vendors will demand that we complete their due diligence questionnaires before they will connect with us,” she noted. The message was clear that continuous assurance is becoming the new normal.
As the level of complication is only ever going to rise, we need to start with the basics. The starting point is to decide on our minimum standards and define what good looks like for us, then set the bar for our vendors. We should ensure that these fundamental requirements are written into the contracts, but as well as holding them accountable we should help them meet the requirements. As Saffer put it, we should “build relationships, not fear” with our vendors. Automation, unsurprisingly, had a mention: we should automate what we can in order to minimize the human effort required, doing as much continuous monitoring as possible.
The Value of Trust
The final key concept Saffer cited as essential was trust. For those with a long enough memory, she referred back to a 2013 scandal in which U.K. supermarket chain Tesco was discovered to be selling a ready-cooked beef lasagna which, unknown to them, was in fact 60% horsemeat. The underlying cause was, unsurprisingly, an unexplored supply chain: “the original supplier that Tesco had outsourced the manufacture of the value lasagna to had outsourced it again. They had outsourced it repeatedly without telling Tesco.” This equates precisely to today’s concept of third, fourth, fifth (and so on) parties in vendor relationships. Trust is essential because if the vendor is transgressing, we will eventually find out: “If one partner hides things, the logs eventually will reveal the truth, just like all those receipts you've stuffed in a drawer somewhere so your partner doesn't find all the handbooks that you have bought”.
Saffer wrapped up by reminding the audience of some simple facts: vendor due diligence is “not glamorous, it is not flashy and it is not something you brag about at parties.” It is absolutely imperative that you do it right, though, because in her words: “your ecosystem is your exposure, your partners are your perimeter and your vendors are, like it or not, your shared destiny in cybersecurity.” We should embrace the art, she said, master the science, ask better questions and build better relationships, because “no organization ever stands alone anymore”.
