Software Integrity


Third-party security risk factors

As we build our budgets for 2016, many organizations are examining 2015 pitfalls in order to strategize where to spend money in the upcoming year. With the recent influx of security breaches, many are concerned about third parties and vendors with whom they share data. What can we do to reduce the likelihood of a breach internally, or involving our third parties and vendors?

From my point of view, there are three components to assessing third-party security risk:

  • Data at rest. What data are your third parties storing?
  • Data in motion. How are you transferring data between your organization and a third party?
  • Data as a service. How are your third parties using that data? Are they collecting it through a web application? Are you sending data which they can then process or manipulate?

When examining third-party risk, we’re often focused on the money we spend with the third party and the strategic nature of the relationship, rather than the actual services being performed by the vendor.

Synopsys is a vendor. As such, we’re often asked:

  1. How are you handling our data?
  2. Are you storing our data on your premises?
  3. What controls do you have in place?

Security practitioners are spending too much time focusing on the storage of data. Instead, the focus should be on how the data is used. I would want my organization to spend more time with a vendor that runs an application which collects my customers’ data, rather than a vendor to whom I’m shipping data for backend processing.

vBSIMM is working to shift this mindset by evaluating whether your organization’s vendor is undertaking the right activities to maintain application security. While we may still see breaches where the data was left in the wrong location, the greatest risk lies in the applications that collect the data.

Learn more about vBSIMM and how it can help mitigate your third-party risk.

More by this author