Security Ecosystem Demands
What’s with the 80-page security questionnaire that just arrived from my new business partner?
This is a common question I hear from businesses all the time. They enter into a new partnership with a company and right on the heels of the agreement being signed – sometimes even prior to the deal being inked – they start getting queries about the state of their information security. So why do these business partners care about my organization’s security?
You’ve heard the old adage that “a chain is only as strong as its weakest link”? That’s your answer right there. A digital business ecosystem – groups of connected business partners that share data, information and intellectual property – are like that chain. If one of the links is weak, their interconnectivity puts all the partners at risk. Attackers are well aware of this and they’ll probe for that weakest link in the ecosystem and exploit it as a point of entry to inject themselves into the flow of data between businesses.
At the heart of these arrangements, and behind the questionnaires, more and more businesses are inserting carefully worded language into their business agreements designed to assure visibility into their partners’ security efforts. These agreements typically include requirements for security awareness training for employees and contractors; minimum standards of data protection (perhaps including encryption and segmentation requirements); identity management standards, and more. According to the 2017 US State of Cybercrime Survey, 47% of enterprise organizations (businesses with 1,000+ employees) evaluate the cybersecurity of supply chain/business partners prior to conducting business with them. Many, if not most, of those agreements now include the right to audit for compliance with minimum security standards, as defined by the agreement. Sometimes these standards are determined by regulations which the companies are mandated to comply with, and sometimes they define minimum thresholds that are governed by the security practices of the questioning party in the agreement. In the case of the later, confidentiality is usually the governing factor (an example might be the requirements a manufacturer might ask their law firm to comply with). In the case of the former, it’s likely that the questioning party is governed by strict regulations that extend to their digital business ecosystem (such as healthcare businesses governed by HIPAA). In either case, compliance with these requirements is usually mandated if the partnership is to move forward.
You’ll find that businesses take these partner mandates very seriously. 31% of businesses have terminated contracts or business relationships because of a failure on the part of their business partners to meet the defined security standards.
However, there’s often a silver lining to these mandates. For businesses that struggle to get executive support or funding for their security efforts, business partner mandates are often the impetus to get that support or funding started. In these cases, security has truly become a business enabler.
A final thought on these agreements: don’t be intimidated by their size or what they demand. You’ll find that many of them are asking for the same information – although sometimes in different ways. If you encounter a stumbling block where the requirements demand the use of certain technologies or processes that you’ve chosen to not adopt, pick up the phone and have a conversation with their CISO. It’s likely that you may have a compensating control that they’ll be just as happy with, and that conversation can go a long way to solidifying the digital relationship between your organizations.
Keep employees—and your company—safe. From the editors of CSO magazine, Security Smart is a quarterly newsletter ready for distribution to your employees—saving you precious time on employee education! The compelling content combines personal and organization safety tips, making it applicable to many facets of employees’ lives.