Jean-Baptiste Bres

Chief Information Security Officer

💡 Ensuring CyberSecurity in Vendor Management

Security managers often draw parallels between their work and the construction of fortified castles. We revel in envisioning the grand walls, towers, and fortifications that will protect our organisation's crown jewels, safely tucked away in our digital dungeons. It's an exciting prospect—a fortress so secure and impressive that we might even raise a flag atop our tallest tower!

However, in our enthusiasm, we sometimes forget that fortified castles were not solely built to protect treasures. They were, first and foremost, places of life and trade, where the economy thrived. The walls served as a defence against attacks, a last resort when a formidable army arrived at the doorstep. A cunning thief seeking the lord's treasures wouldn't dare attempt a brute force attack. Instead, they would find it far easier (and more cost-effective) to infiltrate by blending in, sneaking their way to the treasure room unnoticed. The perfect medieval heist would involve assuming the guise of one of the most ubiquitous and unsuspecting groups within the castle walls—the merchants.

The same principle applies to modern cybersecurity. We have made significant progress in protecting our internal environments and assets. Many organisations have fortified their defences admirably, prompting attackers to shift their focus to the vulnerable supply chain. Suppliers, often smaller organisations with fewer security resources, possess substantial access to our organisation’s assets and those of many others—a tantalising opportunity for malicious actors.

While security professionals undoubtedly play a vital role in safeguarding the organisational supply chain, vendor managers serve as vigilant observers and facilitators. Engaging with vendors daily, they navigate the intricacies of vendor relationships, oversee critical aspects such as service level agreements and costs, and ensure favourable outcomes (including the best swag). Their close rapport with vendors positions them as keen detectors of red flags and potential issues, which they promptly report to their cybersecurity team. Recognising the characteristics of a robust security profile and identifying potential risks are paramount to their work and crucial for protecting the organisation.

Therefore, dear vendor managers, this article is dedicated to you. Here, we will explore what you need to know and what to look for to ensure your vendors take their security—and by extension, yours—seriously.

Vendor Selection

Choosing the right vendor is never an easy task. As a vendor manager, scouting and finding the best potential partners is probably one of your most difficult tasks. So many variables to consider: cost, service, capabilities, support, swag (I insist, swag is important!).
And now you have to look for good cybersecurity too? 🙄 Well, let's have a quick look at what signals you can use to get a good feel for the cyber-capabilities of your prospective vendors.

Commitment to Security

First, keep in mind it's not just about evaluating a vendor's technical capabilities; what you really want to understand is their true commitment to security. What are their security priorities? How much skin do they have in the game? One "quick to assess" metric I like to use with medium and large vendors is simply to ask them how much of their IT budget is dedicated to security. The answer might vary depending on how sensitive their activity and the data they hold for you are, but an answer in the 10%-15% range is what you should be looking for. This allocation demonstrates a significant commitment to protecting their systems, data, and customers from cyber threats.

Similarly, you should ask how big their dedicated cyber team is compared to their whole IT team. Again, 8%-15% is usually what you'll be looking for as a good answer. Small vendors might not have the resources for a dedicated cyber team, and that's OK, but a company with 30 IT staff and no dedicated security person is a red flag.

Certifications and Frameworks

One way to assess a vendor's cybersecurity fitness is by examining certifications and frameworks—the badges of honour that demonstrate their dedication to safeguarding your organisation. Certifications like ISO 27001, SOC 2 Type II, and, to a limited extent of managing payment card data, PCI-DSS, serve as the gold medals of security excellence, assuring you that the vendor has met rigorous standards and has been independently audited. Unfortunately, these certifications also come at a great cost, so most vendors cannot afford the significant expense and effort required to achieve and maintain them.

Frameworks, on the other hand, are like comprehensive playbooks for cybersecurity success. NIST Cybersecurity Framework, CIS Controls, or the ASD Essential 8 offer valuable strategies and tactics for building a robust defence. Frameworks demonstrate a holistic understanding of cybersecurity. However, frameworks are just guidelines, and it's easy for vendors to claim they use them, even if they don't.

I've found that it's easy to judge a vendor's capability and honesty by asking them which independently audited certification they hold. An honest vendor without a certification will tell you that they don't have it but that they might use one of the frameworks. A less honest (or less security-competent) vendor will try to pretend that their framework is a certification. It's always fun to see their face when you ask them, "What sort of review did you have to go through to get NIST certified? I didn't know you could be NIST certified!" Busted!

Security insurance

While not a deal breaker, security insurance is an important consideration when evaluating vendors. Having security insurance demonstrates a vendor's commitment to protecting their assets and provides an additional layer of assurance. However, its absence should not automatically disqualify a vendor from consideration.

Security insurance companies assess the level of security of their customers to determine the premium. This incentivises companies seeking insurance to enhance their security practices and measures. The insurance process prompts vendors to prioritise cybersecurity and invest in robust protective measures, knowing that their premium is influenced by the strength of their security posture. As a result, vendors with security insurance often demonstrate a higher level of dedication to safeguarding sensitive data.

It's worth noting that security insurance typically covers your vendor, not your company. In the event of a security breach, the insurance company will provide compensation to the vendor to help cover the impact of the breach. However, as the client, your recourse for any damages or losses incurred would likely be addressed through contractual agreements, your own insurance policies, or legal remedies. Therefore, while security insurance offers added protection for your vendor, it does not directly provide financial restitution to your organisation.

Contractual Agreements

Contractual agreements are the next crucial step in ensuring that your vendors have and maintain the right level of protection. Crafting robust contracts that establish sturdy yet flexible requirements forms the backbone of your vendor management process, outlining the rules of engagement for safeguarding sensitive data.

First and foremost, it is essential to include clauses in your contracts that require vendors to have a robust and sound security program in place. While it's important to avoid being overly prescriptive (I have seen contract defining the encryption algorithm expected to be used, which, by then, was already obsolete), key statements such as ensuring sensitive data is encrypted in use and at rest, controlling and limiting access to staff with a clear need, and maintaining current network and system patches provide the necessary flexibility. These statements allow vendors to define their own approach while still ensuring that you can request reasonable changes if you feel they are not doing enough to protect your data.

Adding clauses for breach notification is paramount. In the event of an attack against your vendor, you need to ensure that warning bells ring loud and clear. Establishing clear guidelines for timely and transparent communication during a cybersecurity incident enables you to respond swiftly, mitigating potential damage and minimising disruptions to your organisation's operations. Defining which incidents need to be reported and when is essential. While you don't need to be informed about every hacker's attempt to scan your vendor's IT stack, it's crucial to be aware if any of your data has been potentially exposed to unauthorised parties, whether due to an attack or an accidental data sharing incident. Understanding how frequently these incidents occur and how your vendor learns from their mistakes serves as an indicator of their security maturity and commitment.

Liability is another crucial aspect to address in your contractual agreements. It's important to clearly define the responsibilities of each party and establish protocols for addressing security breaches. This not only promotes accountability but also incentivises vendors to prioritise and invest in robust cybersecurity measures, knowing that they will be held liable for any lapses in protection.

In addition to the above requirements, breach notification, and liability clauses, consider including provisions for regular security assessments and audits as part of the contractual agreement. These provisions ensure ongoing monitoring of your vendor's security practices and help identify any vulnerabilities or deficiencies that may arise over time. By incorporating periodic assessments and audits, you maintain visibility into the effectiveness of your vendor's cybersecurity measures, allowing for prompt remediation and continuous improvement.

Remember, a well-defined contract is essential for establishing a strong cybersecurity foundation. It sets the expectations, responsibilities, and consequences that both you and your vendors must adhere to. Just as a castle relies on its solid foundation and impenetrable walls, your contractual agreements provide the framework for maintaining a robust cybersecurity posture within your vendor relationships.

Security Capabilities

While we have discussed important considerations during the onboarding and contract signing process, it is important to recognise that security measures should not end there. Continuous monitoring of your vendors' capabilities is crucial to maintaining a strong security posture. While conducting detailed reviews for all vendors may be challenging for your security team on a regular basis (although it is highly recommended), there are a few areas that can be easily assessed during routine management meetings. By probing these areas, you can ensure that your vendors' capabilities remain robust and aligned with your security requirements.

Data Protection and Access Controls

When collaborating with vendors and exchanging sensitive information, prioritising strong data protection measures is paramount. Implementing encryption, access controls, and secure transmission protocols is essential for maintaining the confidentiality and integrity of data. Encryption acts as a safeguard, rendering intercepted data unreadable and unusable. Access controls restrict vendor access to only the information necessary for their specific responsibilities. While it's important for your security team to actively monitor and limit vendor access to sensitive systems or data, it's equally crucial to have confidence in how your vendors handle and secure the entrusted data and access.
Here are a few questions to assess your vendors' data protection and access capabilities:
  • What do you consider to be the most sensitive data we provide to you? This question explores the alignment of data sensitivity between you and your vendor. Understanding their perception of the most critical data helps identify any disconnects and enables you to address them proactively.
  • Do you encrypt our data when it is stored or transmitted within your network? This question assesses the level of security maturity within their organisation. While some companies historically overlooked protecting data within their own network, today's standards expect robust security measures to safeguard data both externally and internally. Strong security practices involve encrypting data at rest and in transit within the network.
  • Who has access to our data within your organisation, and for what purpose? This question aims to determine whether they have a clear understanding of who can access your data. While the answer may vary depending on roles and responsibilities, they should demonstrate knowledge and control over data access. If they seem uncertain, it raises concerns about their overall security posture.
By asking these questions, you can gain insights into your vendors' awareness and practices regarding data protection and access controls. It ensures that they align with your expectations and have the necessary security measures in place to safeguard sensitive information.

Incident Response and Recovery

While our goal is to prevent cyber incidents, it is crucial to ensure that your vendors are well-prepared to handle such situations. It is essential for your vendors to have a robust incident response plan in place. This plan should clearly outline communication channels and escalation procedures, enabling prompt and coordinated action during cybersecurity incidents. By establishing expectations and guidelines for incident reporting and collaboration, you strengthen the partnership between your organisation and vendors, presenting a unified front against cyber threats. A well-defined incident response and recovery strategy ensures that both parties can effectively address and mitigate the impact of potential security breaches.
Here are some questions to ask your vendors to assess their incident response preparedness:
  • How do you monitor for potential cyber incidents? It is reasonable to expect that most companies utilise a Security Operations Center (SOC), either internally or through a service provider, to monitor their systems and networks for any unusual activities or indicators of compromise.
  • How do you define a cyber incident, and when was the last incident you experienced? It is important to understand how your vendors perceive and handle cyber incidents. While major incidents like significant data breaches are notable, it is equally important for them to actively monitor and address smaller incidents. This includes incidents like accidental data leaks, malware detection, or phishing attempts. Awareness and proactive management of these smaller incidents are key to preventing larger-scale attacks.
  • When was the last time you conducted an exercise for cyber incident response? Regular exercises serve as a good indicator of readiness. You should expect vendors to conduct at least an annual exercise to test their incident response capabilities. This exercise may involve walkthroughs of the response process or simulated scenarios to assess their ability to handle different types of cyber incidents effectively.
By asking these questions, you can gain insights into your vendors' vigilance and readiness in managing cyber incidents. Their proactive monitoring, understanding of incidents, and regular testing demonstrate their commitment to incident response and recovery.

Ongoing Monitoring and Auditing

In the realm of cybersecurity, ignorance is not a blessing. It is crucial that vendors actively monitor their defences, seek out weaknesses, and stay informed about new threats. These routine activities are essential for maintaining a strong security posture. They help identify vulnerabilities or deficiencies that may emerge over time and enable timely remediation. Topics such as vulnerability management and penetration testing should be regularly discussed. Here are some questions you can ask to assess a vendor's approach:
  • How frequently do you conduct vulnerability testing on your systems? While continuous testing is ideal, it can be costly and may not be feasible for all vendors. However, a comprehensive penetration test at least once a year is considered the minimum standard. Anything less than that should raise concerns.
  • How often do you patch your systems? Workstations should be patched on a monthly basis, while servers and infrastructure should be updated no less frequently than every 2 to 3 months. It is also important that your vendor has a process in place for out-of-band patching, addressing critical vulnerabilities that require immediate attention and cannot wait for the regular patch cycle.
  • What components do you include in your patching process? Workstations and servers are obvious candidates, but it is equally important for network devices, connected devices (such as smart TVs and video conferencing kits), and applications to be tracked and managed in the same manner.
By asking these questions, you can gain insights into a vendor's commitment to vulnerability management and patching, ensuring that they prioritise maintaining a secure environment.

Employee Awareness and Training

The human factor is often the weakest link in cybersecurity, both within your organisation and among your vendors. Understanding how your vendors ensure their employees remain sharp and prepared can provide insights into their commitment to cybersecurity and data protection. While many organisations claim to provide annual online training for their employees, the evolving threat landscape demands more proactive measures.
Delving into your vendors' practices can be beneficial. Consider the following questions:
  • What does the security training cover? Inquire about the topics covered in their security training. While recognising spam and phishing emails is essential, there should be a broader focus. Employees should receive training on identifying sensitive data, securely handling and transferring it, best practices for password management (such as not sharing passwords), and protocols to follow if a suspected cyber incident occurs.
  • How to you test your employees? Training is only half the battle. How do your vendors measure the effectiveness of their training programs? Do they conduct regular employee tests? For instance, sending simulated phishing emails and assessing employee responses is a common method to gauge awareness and identify areas for improvement.
By asking these questions, you can gain a better understanding of how your vendors approach employee awareness and training. A comprehensive training program that covers various cybersecurity topics and includes regular testing demonstrates a proactive commitment to combating cyber threats.

In conclusion, it is crucial to acknowledge that the supply chain has become a favoured target for hackers. While your organisation's cybersecurity team plays a key role, vendor managers must also be vigilant in recognising signs of a robust security profile and potential red flags.
Selecting vendors with a strong commitment to security, establishing comprehensive contractual agreements, and continuously monitoring vendor capabilities are essential for maintaining a strong security posture. Regularly ask the right questions, remain proactive, and collaborate with your cybersecurity team to address any concerns.
In the ever-changing cybersecurity landscape, the diligence of vendor managers is vital. By prioritising security throughout the vendor management process, organisations can establish a resilient supply chain, effectively safeguarding valuable assets and data from malicious actors.

Disclamer: This article is not legal or regulatory advice. You should seek independent advice on your legal and regulatory obligations. The views and opinions expressed in this article are solely those of the author. These views and opinions do not necessarily represent those of HSBC or its staff. Artificial Intelligence Technology was used to read-proof this article.