Back in the day, we played cops and robbers with sticks and plastic squirt guns. Sometimes you were pursued, at other times you were the pursuer. There wasn’t much more to do than hide behind a trash can and maybe divert attention by tossing some object far from your hiding point. Sound a lot like today’s cyber battles? Not really!
Today’s bad guys enter your offices through the back door, and often directly through the front door. They can easily access badges, security codes and passwords, and once in the office, know exactly where the jewels are located – and how to access them – without barely a fingerprint left behind.
COVID-19 has quickly pushed all of our data and activity to the cloud. This means that your corporate data protection and security is more often than not outsourced by your IT staff to third party services providers who are managing all elements of your company’s daily technology and services deployment. AWS, Google Cloud, Microsoft Azure and a myriad of cybersecurity ‘gold standard’ providers are actually not much more secure than the old chain lock I wrapped around my bicycle back in the day – that was severed with heavy duty chain cutters and away went my new Raleigh 10 speed Grand Prix. They are a deterrent, no doubt, but not the Holy Grail of protection, for sure.
Third Party Risk Management
We have seen a new industry emerge and thrive over the past few years that aims to provide an additional level of security for organizations outsourcing data and operations to cloud services providers. That industry is called Third Party Risk Management (TPRM) and consulting firms have developed entire stand-alone practices dedicated to helping clients understand, quantify, and navigate their relationships with third party services providers. TPRM in a more innocent era was a function of supply chain and third-party logistics (TPL) protection. The Pharmaceutical industry had to ensure that pills were not adulterated on their path from production to store shelves; manufacturers had to know their suppliers and producers in offshore facilities while guaranteeing customers that the component or additive, produced in say, Vietnam would perform up to a US or European standard. In more extreme scenarios, industrial manufacturers outsourcing production to less-regulated zones opened themselves to serious IP exposure.
What this adds up to is that paying an invoice for your cloud service provider is only the first stage of an adventure into security provisioning and does not comprehensively secure your assets. Your company’s vulnerability is becoming a more visible line item on the balance sheet, in the form of Directors and Officers Insurance at the Board level, and impairment to a company’s brand, data, operations or viability at the most basic level. Boards and senior management may bear financial responsibility for negligence, which can be defined as a simple failure to properly assess third party security providers. The U.S. Office of the Comptroller of the Currency (OCC) writes in its risk management guidance:
A bank’s use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws.
3rd Party Security
Companies today are focused more than ever on how to manage TPRM and TPSM (third party security management) challenges, while minimizing associated costs and not beefing up back office/administrative (non-revenue generating) resources. Shareholders, stakeholders, and employees depend on a company’s sound stewardship during these unprecedented times. A balance needs to be reached that ensures that the buyer of said services (the company) is adequately protecting itself against exposures generated by third party services firms’ employees who may go rogue, make an error, fail to follow security guidelines or in some material way, knowingly or unknowingly, compromise their – and your – company’s vitality.
Professional Services firms engaged in providing third party risk services have prepared detailed questionnaires and surveys assessing your company’s partners and service providers, and themselves require their own service providers, contractors and employees to complete lengthy analyses addressing detailed technical and operational matters. This is fine, and indeed important. What is lost in the dialogue is that Professional Services firms often delegate the review and compliance around TPRM and TPSM matters to a procurement or compliance employee. This is a major oversight and can cause long-term harm to all parties involved. TPRM and TPSM has become a more technical and IT area of focus, and less a compliance, ‘tick-the-box’ topic in the post-COVID era.
Firms providing TPRM and TPSM services to clients must incorporate a senior technology executive into the TPRM/TPSM compliance assessment, and should ideally involve the IT leader (VP IT, CTO-CIO) in early discussions regarding key assessment criteria governing relationships with external partners and service providers. The senior IT executive should have experience working with vendors, partners, and suppliers of services, and should also understand the implications of the work being contracted, to the company’s P&L. S/he needs to be a collegial, consultative, and mature executive with some battle scars, and a level of skin in the game — be that equity, bonus, ownership or reputation. Hens guarding the hen house can be useful when the stakes are so high and your company’s future state is one or two clicks away from dark web, ransomware-driven entrepreneurs.
When contracting with third party service providers, companies need to consider the makeup and governance of third party providers themselves, including their employees, ownership structure, partners, vendors and revenues derived from key clients. Certain non-US firms require their partners and vendors to maintain data on servers owned by the (non-US) firm – they do not want to lose risking or compromising the data that is provided to them, and also want to ensure that their own systems manage and govern data access. A number of Professional services firms and banks today require vendors to complete surveys covering who specifically will have access to data and systems which they have outsourced to the third party, what software is currently used to manage entry and exit points, security software, incident response, and mitigation policies. The surveys go so far as to assess symmetric encryption and cryptographic hash, wireless access policies, time based one-time password algorithm (TOTP) and authorized user device configuration. While time consuming and even somewhat intimidating, this is the best way of ensuring that third party service providers are adequately positioned to oversee and manage your company’s key data and technology assets.
By Martin Mendelsohn
Martin Mendelsohn is a Senior Partner with Kingsley Gate Partners. Over a two-decade career in executive search, Martin has managed strategic hiring initiatives for large public sector entities including the U.S. Government and the Sovereign Wealth Fund of Kazakhstan. Most of his recent work focuses on executive recruitment for fast-growth technology and services focused companies operating in emerging and developing markets. Martin also manages several Kingsley Gate relationships with global Professional Services firms.