When it comes to managing risk, companies have plenty of choices. They can outsource security controls or handle it in house. They can put all their data in the cloud or keep it in their data center. But their relationship with business partners is a lot more complicated.
2011 Global State of Information Security analysis
That's one of the takeaways from the Eighth Annual Global Information Security Survey CSO conducted along with sister publication CIO and PriceWaterhouseCoopers. Some 12,847 business and technology executives from around the world took the survey, and many admitted they're somewhat more concerned than they were last year that their own security is threatened because the security of business partners and suppliers have been shaken by the recession.
More than three-fourths (77 percent) of respondents agreed that their partners and suppliers had been weakened by the recession, up from 67 percent a year ago.
"Companies are increasingly dependent on third parties whether they like it or not, and those partners need access to your IT infrastructure and your data," said Mark Lobel, a principal in the advisory services division of PricewaterhouseCoopers. "That's tough when times are good and scary when times are bad." Facing their own business problems, third parties need to cut costs just like you do, and they may slash security controls to do it, he says.
Josh Jewett, senior vice president and CIO for Family Dollar, says the company has taken steps to ensure business partners don't compromise its security. "We hold third parties accountable not only contractually, but also operationally," he said. "They must demonstrate they meet the same security standards we have internally."
Family Dollar's partners are also subject to periodic scrutiny by the company or an independent auditor. If their practices jeopardize the company's data or business continuity, it has the contractual right to terminate the relationship.
Similarly, James Pu, information security officer for the Los Angeles County Employees Retirement Association, who is also a certified IT auditor, borrows a tactic President Ronald Reagan used to enforce nuclear arms treaties with the former Soviet Union: Trust but verify.
"Third parties are often required to put their security procedures on paper, but there is never the follow-up to verify. We check up on them," Pu said. "We ask vendors a lot of questions and we limit what they can access. When they come in, we make sure they are escorted." What's more, business partners aren't allowed to connect any computers to Lacera's networks without proper validations and vetting, and they must abide by clear rules governing how data can be used.
If any data or applications are not relevant to a business need, partners don't get access to it. The data or application must be directly tied into whatever initiative -- such as an event -- the two sides are working on together, Pu says.
Larry Bonfante, CIO of the United States Tennis Association (USTA), feels much the same way about giving business partners access to his systems. Financial applications are locked down. Partners also can't access parts of the network where customer data is housed. Under those conditions, he feels pretty safe about sharing other parts of the network.
"There's always some concern, but we work with our partners to ensure things like encryption and password protection" are used, he says, adding that data flowing between USTA and its partners is encrypted. That way, it's indecipherable and therefore useless to a rogue outsider who tries to access it.
Ken Pfeil, CSO for a large New England-based mutual fund company, said that to ensure secure business partnerships, companies need to get security personnel involved before business leaders choose who will provide third-party services. Security experts will eye potential partners' security controls more carefully than, say, the events and marketing people who identify and pursue these partners would. Security practitioners are also more likely to insist that partners give each other a detailed tour of their security operations.
Pfeil said he is a stickler for cut-and-dried contract terms. "Security must be in the language. How will authentication be handled? How will data be handled in motion and at rest? Which side is responsible for which controls? You must answer all these questions," he says.