Setting up and managing supplier security assurance

Every organisation faces a significant challenge in the management of risk associated with their suppliers and partners.  No organisation exists in isolation and all sizes of organisations will be reliant on the support of third parties.

For the purposes of this post I’m focusing on Information Security assurance.  There are other considerations around areas such as finance and legal that aren’t covered.

Depending on the sectors you operate in, organisations often face compliance requirements to provide assurance.  The scale and complexity of managing this program can grow exponentially with the number of third parties involved.

Your key objectives will be to ensure that the third parties you work with adhere to your required standards and within your companies tolerance for risk (be that low or high).

Setting up a program

I’ve had the opportunity to work within organisations across the spectrum from small to large enterprises.  They all face a similar challenge.

A typical program includes the following components:

1. Risk assessment

Determine the level of risk associated with the third party.  This involves assessing the risk severity posed by the third party according to the service provided.

These normally consider aspects such as type of data involved, access to systems, applicable standards and regulations (compliance).

2. Security questionnaire

This is intended to ask questions related to standard controls that your company would expect.  With the increasing compliance demands the length and complexity of these can be substantial.

Consider having different versions depending on the nature of the relationship as well as the risk severity posed. Bear in mind these can be time consuming for both parties to complete and review.

There are standard options readily available that may suit your needs (i.e. Sig Lite).  Alternatively you may want these to be based on your own policies / standards. This is more likely to be a requirement when you are in a heavily regulated industry.

3. Questionnaire review

Following a review of the third party you’ll want to identify any compliance gaps between their current security posture and the minimum you require.  Any gaps need to be assessed and suitable recommendations / mitigations raised.  Based on these you will need to agree and track a security program with the third party.  Enforcement of such a program is most effective when it stipulated within a contract.

4. Program management

You need to maintain oversight of third-party security programs.  This will enable tracking of progress in addressing the agreed actions.  Actions should be within agreed time periods and suitable levels of escalation followed if the third party fails to deliver to the agreed time-frames and standard.

5. Contracts

Security standards need to be legally binding.  This can be effectively enforced by including security SLA and / or OLA clauses within the contract.

Third party management program

Relationships between parties will evolve over time to adapt to the needs of the organisation or as a result of changing external factors.  As a result, it’s necessary to perform ongoing risk assessments of the third party to ensure they maintain adherence to your required standards.

Some important aspects to consider:

• Use cases and therefore risk associated with an engagement will change over time;
• Security events / incidents may occur at the third party that require special attention;
• Third parties change – events such as a company takeover, executive or senior management change can change the direction and culture of an organisation;
• Policies / standards evolve to meet changing requirements, so should third party management;
• Companies may move into and out of compliance over time as standards / capabilities rise and fall;
• You’ll want assurance / evidence of any security certifications to ensure they are still relevant / valid;
• Automate aspects of the program – utilisation of tools / platforms can really improve the efficiency of the program;
• Provide reporting / oversight of the program to the senior stakeholders.

For most organisations it won’t be practical to perform comprehensive risk assessments of all third parties.  Through a risk-oriented approach make sure to cover at least the highest risk ones.

The gap in available information security staff has been widely publicised.  Despite this there are options open to every organisation to resource this type of program.  This typically involves a hybrid of both internal and outsourced staff and services. 

Important considerations

Accountability

It’s important to remember that Information Security are advising on the level of risk posed by a third party along with recommending actions that enable a reduction in the level of risk.  This covers whether the expected requirements are being met and are within the risk tolerance of the organisation. 

The accountability associated with the risk does not sit with Information Security.  If your business decides to progress with a third party that is above an accepted risk tolerance level, then ensure the appropriate level of accountability is taken.  This is typically managed through a risk acceptance process.

Certifications

You’ll want to consider how much weighting you allow for certifications.  This will likely vary according to a number of factors:

• Coverage – are your control requirements sufficiently well covered;
• Scope – are the services you’re using fully, partially or not covered;
• Trust - are they attested by a trusted party or self-assessed;
• Validity – is it in date and can this be affirmed by a register.

Be aware that just because a company has a professional certification it does not guarantee they are secure or even managing security effectively.  Be careful to not be over reliant on them.

Classification

Organisations will have a myriad of different types of third-party providers.  Consider classifying them as it may not be suitable to perform the same type / level of assessment against each.

There are a number of factors to consider such as:

• What is the type and volume of the data involved;
• Are the impacted services subject to compliance requirements;
• Will the third party need access to the corporate network;
• Do the company need to attend onsite facilities.

Lifecycle

It’s important to recognise that third party assurance is an ongoing process.  Risk associated with third parties’ changes over time as the service and threats evolve.

Management

The volume of third parties, questions / answers, evidence and assessments makes this an administration intensive exercise.

It’s also important to not underestimate how much work is involved in collaborating with stakeholders, following up with questions and requesting evidence.

A program can be managed in spreadsheets, but this often adds considerable overhead in terms of time, coordination and administration.  It may prove more cost effective to utilise a third-party management tool.  Within medium to large organisations your risk, legal or procurement functions may already have a suitable tool you can use.

On-boarding

Information Security are often only one of a number a teams / departments involved in the on-boarding process.  For the program to be effective ensure you integrate into your organisations on-boarding lifecycle.

It’s far easier to influence and help reduce risk before a contract has been signed than after!

Prioritisation

Take a risk-based approach to identify your highest priority third parties.  With limited resourcing make sure you focus on your highest risks first.

Reporting

There are some important aspects of the program that you need to report on:

• How many active third parties you have and at what level of classification / priority;
• How many third-party assessments have been completed;
• Your backlog of third-party assessments;
• A realistic projection of what will and won’t be covered given available resourcing;
• Identification of third parties (and reference to risk acceptances) that are outside of risk tolerance;
• Identify suitable KPIs / KRIs to help track the increasing / decreasing effectiveness and risk exposure.

This is your opportunity to communicate the level of risk associated with the third-party program as well as highlight limitations based on the afforded resourcing.

Resourcing

It’s best to take a risk-based approach to determine how you prioritise your resourcing.  Every organisation faces a scarcity of skilled people combined with a limited budget.

Be realistic about what you can achieve with the resources available to you.  Spreading your resources too thinly often leads to a reduction in their overall effectiveness. 

Due to the often-high level of administration involved consider what seniority of role you need to perform each task.  Consider providing the lower skilled tasks to more junior positions or potentially outsource to a third party.

Final thought

Third party programs vary in size and complexity depending on the needs of the organisation.  This highlights some key areas to consider and is based on my own experience of what does / doesn’t work.  Even a fairly light program will help you to manage your third-party risk more effectively.

It would be great to get your thoughts on the topics covered along with any experiences that you’ve had that can help others either setting up or managing their own program.

Security qualifications, are they worth it?

There are a vast number of third-party institutions that provide professional certifications.  The two I often see asked for on job specifications are CISM and CISSP from ISACA and ISC2 respectively.

Trends in security qualifications vary on a year by year basis but these two have been consistently in the top ten.  For those interested in a typical top ten list take a look at this article from Forbes.

This is a big industry with institution members having to commit considerable time, effort and finance to earn and maintain these qualifications.

The positives

There are some clear positives:

• Development - they require you study to pass them as well as maintain through ongoing professional development;
• Job hunting - they provide potential recruiters with assurance over your level of understanding / knowledge;
• Job applications - they increase your chances of reaching the initial shortlist.
• Earnings - they make it easier to move between roles and negotiate a higher salary. 

The not so positives

The positives need to be balanced with the not so positives:

• Membership cost - if you’ve got certifications it can get expensive to maintain;
• Continuing Professional Education (CPE) Credits - there is considerable overhead in maintaining your CPEs;
• US focus - many of the institutions charge fees in dollars making them subject to currency fluctuations;
• Exams - these are expensive, long and often difficult to pass.

Not a replacement for experience

Qualifications provide a level of assurance over your ability, but expertise relies on experience.  Senior positions typically require a combination of qualifications and experience.  In these positions’ companies expect candidates to hit the ground running.

For the more junior positions there is an expectation that candidates will require more support in mentoring and development to reach the required experience level.   At a junior level, qualifications can be a real differentiator when applying for positions.

Given the shortage of skilled people in the industry there is a wider recognition that new staff will require investment to develop.

Continuous development

The security landscape is changing at a rapid pace.  Even if you don’t go down the qualification route you need to have a desire to challenge yourself and develop.  There are plenty of resources that you can make use of including webinars, conferences, online study and local groups.  Many of these are available at no cost.

How many qualifications should you have?

This is a difficult question and one I have personally struggled with an answer for.  I’ve currently got four professional security qualifications and am working on my fifth.  From conversations with my peers the answer relates more to the role that you are in.  For an Information Security Manager / Officer career path having either CISM / CISSP or both can be a real positive.

I’m personally intending to achieve a further two qualifications in the next few years (CRISC & CISSP).  That will take me up to four qualifications I have to maintain memberships for.  Given how costly this can be it will be hard to justify the expenditure beyond that.

I’ve worked with a variety of different people within the industry.  The majority (but not all) have one or more qualifications. 

It’s worth noting that some people choose to let them lapse.  Perhaps in this instance they were an enabler whilst the individuals didn’t have the required experience and a cost thereafter.

Can you have too many qualifications? 

This is an interesting point and not something I’d thought much until recently.  After reviewing a  candidate CV I was surprised by the number of qualifications and active memberships they were maintaining.  The CV in question showed that the individual had around 3 years’ experience and was averaging three major qualifications per year.  So, early on in their career and they were already paying out for several memberships and 9 qualifications.

Roles in security can be highly demanding and trying to balance development, work and personal life can be a challenge.  Over the last few years I’ve been trying to achieve one qualification per year.  I’m not convinced there is sufficient benefit to the individual to pay the cost required to maintain so many memberships and qualifications.

Final thoughts

From personal experience my qualifications have opened up opportunities and helped me get onto the initial short list for positions.  This has at least given me the opportunity to impress future employers in person.  They are not a replacement for experience but can certainly become an enabler when accompanied with it.

Its important to note that not all qualifications are equal.  Have a look at the job specifications you’re most interested in and choose qualifications that are going to enable you to progress within them.  Consider the value they will give you to make sure you can justify the time, money and effort it will take to achieve and maintain them.

These are my personal views.  I’d be keen to hear your thoughts.

Starting a career in InfoSec

Starting out

My journey into security started back in 2012. At the time I was working as a web developer within a large financial organisation. As part of the companies Payment Card Industry (PCI) compliance program, I along with the wider team were required to undertake developer security training. This was the catalyst that began my InfoSec journey.

This initially started out with me undertaking training in defending and hacking of web applications. This became a passion and I quickly found that I was the go to person for security across development. As a result, I started to get recognised within both my own and wider teams. This in turn led to considerable engagement with the Information Security team.

Within a relatively short period of time I went from having a role as a web developer to a team lead and application security specialist. This role involved me providing security training to the development team, documenting and helping to integrate security into the Software Development Lifecycle (SDLC) and taking ownership (and often coding) for the mitigation of penetration test findings.

On my one-year anniversary in the role the Information Security Officer in the company position became available. Having been actively encouraged by a number of my colleagues I decided to take the plunge and give it a go. So, in 2013 I took over management of an Information Security team and haven’t looked back. Since 2013 I’ve held 4 different roles leading me to my current role as Global Head of Information Security Governance that I moved into in 2019.

Starting your journey

Everybody’s journey is different and each person has varying experiences / skill sets that they can bring into the role. Traditionally the role was seen as IT Security focused with the majority of people coming from an IT operations role.The industry has gone through a sizeable shift with many of the new entrants coming from very different backgrounds. It’s also becoming a much more diverse area to work in but still has some way to go.

Looking beyond the job specification

Take what is listed on the job specification with a pinch of salt.It often amazes me at the unrealistic and often implausible demands.

An example of which is a junior position asking for a candidate to have a CISSP or CISM full qualification. These typically require candidates to have a minimum of five years’ experience. That level of experience would be seen as at least a mid-level role and I’d expect them to be paying a substantially higher salary!

Don't be afraid to apply

It is a greater risk to turn up opportunities than to embrace them. Be willing to apply for roles where you don’t meet all of the job specification requirements or even if you’re not sure if you’re ready.

Given the number of candidates going for every role you will get setbacks. These should just be seen as a bump in the road. The more roles you apply for the higher the chance you have of being successful.

Interview insights

I’ve spent a lot of time actively recruiting for roles within information security. I’ll give you a bit of insight into what I look out for within new recruits.

Passion

People that have a passion for security. What do I mean:

• Do you actively read any blogs, articles?
• Have you done any relevant training or qualifications?
• Are you a member of any communities / groups?

It’s not just about what you do in your 9 to 5. Those that are passionate about the role are more likely to go onto to great things.

Keenness to develop

The security landscape is changing at a rapid pace. You need to have a desire to challenge yourself and grow with the role.

Willingness to adapt to change

The role is about facilitating change securely rather saying ‘No’. The demands and expectations within the role have changed a lot even in the time I’ve been doing it.

Be honest

Don’t be afraid to say: ‘I don’t know’ or ‘I’m not sure’. I would much prefer people to be honest. If you say: ‘I’m not sure but I think it relates to’, you are much more likely to be well received. The security field is vast and its not feasible to know everything.

I’ve had some individuals dig some big holes for themselves by not being honest.

Your journey

I hope this will provide you with a useful insight to start or even progress along your own personal journey. As you progress building experience and becoming qualified so will your potential earnings. Good luck and remember to enjoy yourself on the way.

Let me know about your own personal journeys.