In the resulting discussion on twitter [read it here] , Ed Smiley and I centered on how the same concept could apply to security. Specifically, we explored the potential of a similar audit to start valuable conversations with third parties.
The perceived challenge is when the third party just expects the larger company to dictate security to them. In essence, they want someone else to build their security program.
But what if we did just that?
What if we freely handed out not just advice, but actually provided *consulting* to them. More than an audit and conversation. Our experience and insights in the form of samples, examples, discussions, and help for the third parties we rely on to their security processes?
Five reasons this increases your value
- Build better relationships: the effort to educate and help valuable partners improve their security programs builds better relationships. From internal sponsors to partners, and even within the broader community, stronger relationships and open communication improve security for everyone.
- Conduct a better assessment: Using the audit as a demonstration of basic skills leads to a better assessment. It moves toward relying on evidence and discussions to provide context over surveys and check lists.
- Build better security: This works in both directions. The evidence-based approach to assessing the third party allows the right guidance to reduce the risk of working with them. It also reveals how to improve internal security controls and processes to further reduce risk.
- Increase the capability of the team: expose your team to consultative approaches, different business models, and a range of security challenges. In turn, that improves security for the business.
- Demonstrate value to the company: What better way to demonstrate value than to ease the process of working with partners where everyone increases their knowledge of security? This approach to due diligence leads to improved communication and the opportunity to make better decisions.
This approach does come with some challenges.
- Shifting the team to a consultative mindset: however, once the team makes the shift, it often improves overall effectiveness.
- Liability: offering advice on security issues increases the potential liability on the company. This is a great opportunity to *partner* with corporate counsel to find a solution that protects the company… while engaging in a solution that protects the company.
- Responsibility: does the third party take responsibility to make this work, or are they signing on just to score the contract?
This approach is designed as a starting point to improve security and build stronger relationships. It still requires continuous monitoring and regular enforcement of contract provisions is important.
Evidence from the field
I've worked with companies that provide this service to their vendors. The companies view this approach as a way to get a better evaluation, reduce their risk, and expand their reach/visibility. They report a minimal rise in workload (over a regular third-party evaluation) and warm reception from vendors.
Our success is predicated on our ability to support the business. Change the perception of the team and earn respect as someone actually working to make a difference.
Be the team that provides recognized value.