Finding The Hidden InfoSec Story

Baby on Board

818743267_c74a0feeab

So you’re a new parent and you are planning your first long car journey.  Before little one arrived you had the car fully serviced, started quizzing your garage MI6 style about any little problem found and fitted the latest, best in class, most safety tested car seat known to man.  Not only that, ‘pre-flight’ checks largely ignored since you passed your test, have taken on a whole new significance.

Fuel – check.  Tyres – check.  Mirrors – check. Oil and water – check.  No warning lights – check.   Immensely complex car seat still fitted as per manufacturer’s instructions – check.  Really? Are you sure? Check again – check.  Then finally you’re on your way.

But that’s not all.

There’s the things you can’t control.  Yes you scanned every route planner, news bulletin and radio programme to find out about accidents, weather warnings and road works.  Yes you packed everything including a collapsible version of the kitchen sink, in case you were stranded far from civilisation, but every drop of rain, trip down a slip road, 16 wheeler and boy racer still feels like a direct and immediate threat to the life of your offspring.

Despite all the angst the journey goes well, as does the next one.  The nerves abate and each trip becomes a little more routine.  No less dangerous in principle, but you’ve stripped out the overkill and built a slick routine around the planning, packing, safety checking and car seat fitting.  Not to mention the fact that you’ve never actually had an accident that harmed your little darling.

Then, as time marches on, circumstances change.   Responsibility for your child needs to get shared to make your life work.  A child-minder will now be in charge of your child’s safety, so what precautions do you take?

You will take up and check references from other parents and Ofsted, visit their home, talk in detail about what they can offer your child, how they will protect your child, what has gone wrong in the past, what they did about it and what they would do if something goes wrong again.  You will also probably check what kind of car they drive and make sure they have good car seat.

Beyond that, your decision to entrust your child to their care is mainly based on the rapport you have with them and the rapport they have with your child.  You rely on their experience and the trust built between you.  Trust maintained through constant communication.  Communication about;

  • Details of your child’s personality and needs and how you want them cared for including any special requirements (insecurities, phobias, medical issues).
  • What the routine will be (where they plan to take your child and which other adults and children they will be around)
  • Daily check-ins and regular longer chats about how you mutually feel things are going.
  • Important updates when regular routines or costs change (a new toddler group, new child being taken on, or a change to hourly rates).
  • A more detailed report after changes happen to make sure your child hasn’t been unsettled.
  • Changes to childcare regulations that mean policy documents or contracts need to be updated.
  • Opportunities and achievements either of you note, so you can jointly decide how to make the best of your child’s potential.
  • Finally and crucially, an immediate update if there are potential or actual issues that can impact the arrangement as a whole.  Perhaps a persistent problem with their behaviour, your behaviour, your child’s behaviour or the behaviour of other children. Or maybe a move on the horizon or illness that means the contract may have to end.

Even allowing for all the references, plans, policies, risks assessments and conversations;

THINGS WILL GO WRONG.

Your child will fall down and scrape knees and elbows.  They may even be in the car when your child-minder has a bump.  But the reaction to and treatment of that incident dictates the damage to your relationship.  If things go to plan, they will call you as soon as anything happens and give you a report on;

  • What happened,
  • How your child is,
  • Whether you need to take any immediate action,
  • What they did at the time to soothe or treat them

Then, when the dust has settled, you talk through things again and work out;

  • What really caused the problem
  • What can be done to avoid it happening again.

If there’s more than one bump, there will be a much more serious conversation.  You will dig deeper into what happened to make sure there are no underlying problems (like a hidden history of other accidents).  Depending on what you find out and depending on how often things go wrong, you may choose to end the arrangement.

And it’s not just incidents that can damage or destroy the relationship.  Below are a few more things that will sooner or later see you going your separate ways;

  1. Obviously distrusting your child-minder and constantly interrogating them about the choices they make in caring for your child.
  2. Being utterly proscriptive and uncompromising about the way they care for your child, even if that impacts their ability to provide some of the value add activities that originally sealed the deal.
  3. Your child-minder taking an excessive amount of unplanned days off with no contingency plan for alternative cover.
  4. Overreacting to every problem that they tell you about, even if it’s something that you would take in your stride at home.
  5. Finding out your child-minder has not told you about something that put your child at risk or actually impacted their health or wellbeing.

So what does this have to do with information security?

Your confidential data can be seen as your baby.  It may be, in the case of customer data and data from partner companies, your adopted baby, but whichever way you look at it you are accountable for the safety of that cherished product of your labours.

No matter how well you protect and govern protection of data in-house, it is always a leap of faith handing that data over to a third party.  Everyone in the industry knows that open, co-operative relationships are necessary to achieve a successful, secure outcome. So why do most companies still under-govern or over-govern suppliers and consistently report issues with underperformance, poor security or a general lack of trust?

By putting this into a more basic context I wanted to practically explore the challenges with building and maintaining productive, supportive relationships with third parties. The analogy could be used as a light touch sanity and completeness check on the way you govern suppliers handling your most precious data and processes.  Alternatively it might flag overkill in your governance of suppliers who can’t cause you the same level of risk.

For those of you interested, I’ve also expanded on some key points in the analogy and put them back into the real-world of supplier governance.  The opinions below are based on my experience building a nationwide supplier security governance service for a FTSE 100 insurer.   They are entirely my own opinions and don’t necessarily reflect the opinions of my company.  I hope you find them useful.

1. You need to establish a realistic security control framework and risk appetite with third parties.  Some risk-averse firms have a tendency to act like new parents when outsourcing the handling of sensitive data or business critical activities.  Don’t be tempted to build a wish list of best practice controls then wonder why your relationship is unprofitable, adversarial and constantly non-compliant.  Yes there are legal, regulatory and partner driven requirements for control that have to be handed down and enforced, but baseline security requirements should fit the risk profile of the deal.

Do robust due diligence.  Learn about their experience, business model and security capability. Properly assess potential risks specifically for that supplier and specifically for that deal and be open to the fact that their controls, although different to yours, may be equally effective.

2.  Accept nothing is perfect from day one.  If necessary, build time into the contract for suppliers to bring their security into line with what’s needed.  There’s never an out of the box fit,  just like no child-minder knows your child as you need them to on that first day.  Punishing suppliers for control weaknesses you should have identified through due diligence breeds defensiveness.

It takes significant up-front effort to build a risk profile, define the security baseline, agree absolute requirements and establish a crystal clear security RACI.  But if you make that effort, accept things take time to begin to work optimally and have a formal mechanism for the right people to accept a bit more risk while things mature, you will reap the rewards.  That effort and pragmatism sets the tone for the whole relationship and pays dividends when you next have to discuss risks and changing control requirements.

3.  Things change.  It goes without saying that your child-minder will have to adjust how they deal with your child as they grow up, interact with their environment differently and face new challenges and dangers.   The same is true for 3rd party relationships.  The nature and standard of security you need from suppliers is a constantly moving picture.

To keep supplier security on track use the inputs and outputs of regular governance meetings (incident, KRI, KPI, risk assessment, threat intelligence and regulatory change updates) to inform any changes needed.  Without this, your initial due diligence will soon be worthless.

4.  Share problems.  If you always get good news or don’t get any news from your supplier, it means your relationship is broken and you are not aware of your risks.  An indefensible position if a breach leads to a regulatory or legal investigation.

Correct that by regularly working with suppliers to identify risks and agree SMART remedial actions.  Just like you chat daily with your child-minder to share updates, share concerns and nip any issues in the bud.  To inform those discussions have a reasonable level and frequency of assurance and governance activity, embed a well-defined, well-tested incident management process and commit to learning lessons.

5.  Plan a proportionate approach to governance, assurance and incident management.  If your child came to serious harm it would be devastating.  In corporate terms, a rough equivalent might be public disclosure and extensive media coverage of a breach significant enough to result in legal penalties or regulatory sanctions.  However, most suppliers can’t cause that level of impact and those kinds of incidents are thankfully rare.

If you have a large supplier population use your supplier relationship managers  to help you triage on the basis of inherent information security, continuity or physical security risk.  It needn’t be onerous.  I designed a 15 minute non-technical on-line survey to do this and ended up with a rich database of supplier risk data to inform supplier and other governance effort.

When you understand the risk profile for the relationship, make sure your assurance and oversight is appropriate for the level of risk.  In other words, don’t fire a 13 page security risk assessment at your milkman, demand your boutique web site design company implements an enterprise standard DLP solution or escalate every incident to the board.

At the same time, refresh your data on suppliers regularly, so you find out about changes to risk profiles.  Conduct an annual review of your benchmarks for the most and least risky suppliers and the controls you assess.  Take into account new threats, laws or regulations and if that changes supplier assessment or governance scope, get that signed off by all key risk stakeholders.

Basically, everyone needs to stay comfortable that they are getting the most risk reduction bang for their buck, while acknowledging that resources are limited and accepting that not all problems are material risks.

6.  Accentuate the positive. Open regular dialogue should always include talk of opportunities and achievements as well as performance issues, cost and incidents. It fosters a true sense of mutual interest in a good outcome.

And more generally;

7.  Believe that no-one wants to provide an insecure product or service.  There is nothing to be gained by thinking your suppliers are out to get you.  Don’t be tempted to operationally hobble them with constant audits or attempts to micro-manage.   Would constant interrogation of your child-minder prevent your child having an accident?  Would your child be safer if you threaten to end your contract every time there’s a problem?

If something goes wrong, contracts help lawyers to repair your balance sheet, but won’t help you mitigate the impact of bad publicity and the loss of partner or customer confidence.  What does help is a supplier who will call you the minute something breaks, while implementing a tactical fix and supporting a joint investigation into root causes.  What makes an even bigger difference is a supplier who will do that EVERY time and proactively recommend updates to security controls to prevent new or repeat issues.  Secure in the knowledge that lessons will have to be learned, but there won’t be blamestorming and escalations that can put their contract renewal at risk.

To conclude, there is no magic bullet to ensure your third parties operate compliantly, securely and productively.  Up-front checks avoid nasty early surprises, formally written rules help to set expectations and good governance provides some comfort that things are still on track, but your first and last line of defence will always be the trust and honesty you build into your relationships.

 

Author: Sarah Clarke

Share This Post On