• United States




Vetting third-party IT security partners

Jan 03, 20184 mins

In the last installment of this blog series, “Report from the Field – CISO’s Top Concerns,” we discuss the benefits and risks of using third-party service suppliers.

Tablet with lock showing secure encryption
Credit: Thinkstock

The drive to improve profitability and streamline operations motivates many enterprises to collaborate with third-party businesses, and rightly so. But this can potentially open-up a number of different cybersecurity risks for CISOs to mitigate. Too often third party agreements are spread out across the company with no corporate governance or reporting requirements for risk management. This has potential to subject the company to a form of “friendly fire” should the third party or one of its vendors become the focus of hackers or government investigation. 

In fact, companies are increasingly being held responsible for the actions of their suppliers, vendors, and partners in addition to their own internal activities. A perfect example is the data breach at mega-retailer Target, where hackers tapped into a third-party HVAC company to steal credentials to gain access Target’s network. Or, consider the incident where two security researchers were able to take over a Jeep Cherokee while it was being driven. The researchers exploited a vulnerability in the car’s radio and infotainment system. As Jeep’s owner, Fiat Chrysler Automobiles, does not manufacturer of its own entertainment systems, the situation could be contributed to a weakness in the manufacturer’s supply chain with a third-party partner.

As the above examples point out, the vulnerabilities of an organization’s partners need to be on every CISO’s radar. A robust risk management program that includes due diligence of business partners’ IT operations, with ongoing monitoring activities, is necessary to secure the enterprise.

Third-party cybersecurity specialists can greatly assist with this task, if not take on these responsibilities completely. There is much to consider however in evaluating and selecting a third-party Managed Security Service (MSS) provider because it puts the company’s security posture in the hands of an outside entity.  The fact is, using a third party to provide cybersecurity services essentially means that you are not only extending your risk to that company, but taking on the additional burden of managing that company as well.

Consequently, CISOs need to perform in-depth due diligence so they have a comprehensive understanding of the outsourced MSS provider. A service provider specializing in the financial industry may not be a good fit for a healthcare company. There are various industry standards that CISOs can use to establish their own evaluation criteria including: confidence in the potential supplier’s reliability and expertise; proven ability to deliver the required protections; viability and scalability for future expansion of services; portfolio of managed services; as well as their internal cybersecurity practices and programs. The last thing any CISO would want to address with management is how their external cybersecurity partner was responsible for a network breach.

Second, based on your category of business, what regulatory requirements does your organization need to maintain compliance? The third-party solution provider you select needs to meet those regulatory requirements, and be extremely well versed in the nuances of your business regulations. Due diligence at the evaluation stage can potentially save costs and time, and provide the CISO with peace of mind.   

Once a third-party managed security service provider candidate has been identified, there are several ways that CISOs can ensure that neither party is taking on more risk than they should, and has proven experience and success. References are a good place to start, followed by a Service Level Agreement (SLA) with language that specifically addresses the security controls that your supplier must maintain. Do you need 24 hour monitoring, for instance or specific skills or experience? A SLA should also include your right to audit the third-party service provider, and a requirement that they report any incidents or internal breaches they experience. It is necessary to also include all privacy issues, especially if you are a global company that is doing business with the European Union. Other mitigation strategies include requesting third-party certifications and audit reports, such as ISO 27001 (from the Information Security Management Systems Requirements from the International Organization for Standardization) and SOC-2 Audit Report which provide validation that your supplier’s security controls are in place and functioning correctly.

Working with third-party cybersecurity specialists is definitely a smart way to optimize business processes and reduce costs while optimizing protections. In addition, the services provided by a third party source will free-up internal cyber security and IT staff so they can focus on overall operations and delivering the highest levels of service to your organization and its clientele. But due diligence is essential to ensure that you select the best partners possible.


John Petrie is Chief Information Security Officer of NTT Security, responsible for information security strategy and security program management. Prior to NTT Security, Jon held senior information security and consulting roles at IBM, Harland Clarke Holdings Corp, and the University of Texas Health Science Center, San Antonio.

A graduate of the Defense Intelligence College, he maintains ties to the intelligence community as a charter member of the Marine Corps Intelligence Association.

The opinions expressed in this blog are those of John Petrie and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author