When it comes to managing risk, companies have plenty of choices. They can outsource security controls or handle it in house. They can put all their data in the cloud or keep it in their data center. But their relationship with business partners is a lot more complicated.
That's one of the takeaways from the Eighth Annual Global Information Security Survey CSO conducted along with sister publication CIO and PriceWaterhouseCoopers. Some 12,847 business and technology executives from around the world took the survey, and many admitted they're somewhat more concerned than they were last year that their own security is threatened because the security of business partners and suppliers have been shaken by the recession.
More than three-fourths (77 percent) of respondents agreed that their partners and suppliers had been weakened by the recession, up from 67 percent a year ago.
"Companies are increasingly dependent on third parties whether they like it or not, and those partners need access to your IT infrastructure and your data," said Mark Lobel, a principal in the advisory services division of PricewaterhouseCoopers. "That's tough when times are good and scary when times are bad." Facing their own business problems, third parties need to cut costs just like you do, and they may slash security controls to do it, he says.
Josh Jewett, senior vice president and CIO for Family Dollar, says the company has taken steps to ensure business partners don't compromise its security. "We hold third parties accountable not only contractually, but also operationally," he said. "They must demonstrate they meet the same security standards we have internally."
Family Dollar's partners are also subject to periodic scrutiny by the company or an independent auditor. If their practices jeopardize the company's data or business continuity, it has the contractual right to terminate the relationship.
Similarly, James Pu, information security officer for the Los Angeles County Employees Retirement Association, who is also a certified IT auditor, borrows a tactic President Ronald Reagan used to enforce nuclear arms treaties with the former Soviet Union: Trust but verify.
"Third parties are often required to put their security procedures on paper, but there is never the follow-up to verify. We check up on them," Pu said. "We ask vendors a lot of questions and we limit what they can access. When they come in, we make sure they are escorted." What's more, business partners aren't allowed to connect any computers to Lacera's networks without proper validations and vetting, and they must abide by clear rules governing how data can be used.
If any data or applications are not relevant to a business need, partners don't get access to it. The data or application must be directly tied into whatever initiative -- such as an event -- the two sides are working on together, Pu says.