Corporate Security

Supplier Security Governance: Time to tackle it head on

Supplier Security Governance 23rd Nov 2015


Supplier Security Governance: A risk and business-centric approach

The link opens a PDF of slides from a presentation I recently gave to Manchester University IT Governance and Computer Science masters students.

It represents a high-level view of justifications, practical risk-based guidance, and desired outcomes for an holistic approach to governing information security for third parties. An approach that scales from startups determined to begin with good security practice, to corporates who decide it’s high time to backfill required control.

The plan is to twin these slides (geared to a non-specialist audience) with words to demonstrate the depth and strength hidden behind apparent simplicity.

The Business Case Underlined

Timing to share is fortuitously linked to this article by James Christiansen, Vice President of information risk management at Optiv. Below is an excerpt, but overall this excellent piece represents a reality I have been passionately championing with businesses and peers for a number of years.

“Third-party risk management is not just an IT function. CSOs who “own” risk management must elevate their sights beyond their department to understand the full scope of their new role. The increasing investment in mission-critical applications by departments outside of IT—so-called shadow IT—is making the problem worse.  If you don’t know about it, you can’t manage it.

Of the…thousands of vendors, partners, and contractors an organization works with, only a small percentage are within IT. There are, in fact, many others—HVAC suppliers, custodial, electricians, maintenance, and so on—that all have to be accounted for. We know too well how devastating it can be to overlook seemingly innocuous vendors.

…CSOs need to meet the challenge of third-party risk management head on. It’s time to execute on a larger risk strategy: managing the risk posture for your organization. This job is bigger than any single department—for any single company, in fact. Security and risk professionals across all industries must unite, accept standardized security assessment reports, and create innovative solutions to address the growing threat of vendor risk”

I couldn’t feasibly agree more.

1 reply »

Want to add to the discussion?

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.