Third-party security risk factors and how to mitigate them
Learn more about three third-party security risk factors and what you can do to mitigate risk from the software you get from your vendors.
As we build our budgets for 2016, many organizations are examining 2015 pitfalls in order to strategize where to spend money in the upcoming year. With the recent influx of security breaches, many are concerned about third parties and vendors with whom they share data. What can we do to reduce the likelihood of a breach internally, or involving our third parties and vendors?
From my point of view, there are three components to assessing third-party security risk:
- Data at rest. What data are your third parties storing?
- Data in motion. How are you transferring data between your organization and a third party?
- Data as a service. How are your third parties using that data? Are they collecting it through a web application? Are you sending data which they can then process or manipulate?
When examining third-party risk, we’re often focused on the money we spend with the third party and the strategic nature of the relationship, rather than the actual services being performed by the vendor.
Synopsys is a vendor. As such, we’re often asked:
- How are you handling our data?
- Are you storing our data on your premises?
- What controls do you have in place?
Security practitioners are spending too much time focusing on the storage of data. Instead, the focus should be on how the data is used. I would want my organization to spend more time with a vendor that runs an application which collects my customers’ data, rather than a vendor to whom I’m shipping data for back-end processing.
The BSIMMsc is working to shift this mindset by evaluating whether your organization’s vendors are undertaking the right activities to maintain application security. While we may still see breaches where the data was left in the wrong location, the greatest risk lies in the applications that collect the data.
