No organization exists in a vacuum. As much as we’d like to think that the internal security measures we’ve put in place are enough to keep us safe, the reality is that internal security is just one piece of the security puzzle. Every organization relies on other organizations – whether its an email provider, a server farm or the cafe that caters your Friday lunches. If your security efforts don’t extend to the other organizations and services you rely on, you’re in big trouble.
In the past decade, a number of organizations have been rocked by unforeseen supply-chain vulnerabilities and breaches. Some of the biggest companies in the world have fallen victim due to vulnerabilities from their vendors.
Vendor security must be addressed just like any other element in organizational security. If you’re going to slack off on third-party security, you might as well leave the doors to the office unlocked at night and set everyone’s passwords to 1234567. Investing in internal security and ignoring the security vulnerability is like padlocking your front door but leaving a window open. Vulnerability is just that, a vulnerability; and third-party vendors can be a significant one.
Like every other company, AppsFlyer doesn’t exist in a vacuum. AppsFlyer’s products have third-party integrations and we employ vendors for internal services across multiple departments. In many ways, vendor security management plays a critical role in AppsFlyer’s overall security positioning, and thus requires the appropriate attention from our security team.
In this piece, I’m going to cover the steps and measures you should take before taking on a contract with a new third-party vendor.
From the security perspective, there are 3 steps you need to take
- Risk assessment
- Prioritization, automation, and visibility
- Continuous monitoring
Here we go.
Preface: Are all 3rd parties created equal?
Different vendors, different risks. The cafe that caters Friday lunch doesn’t pose the same kind of security risk as the company that maintains your email system.
With limited security resources, it’s critical to know where to invest your efforts. Knowing which vendors require more in-depth vetting than others is the first critical step when considering a new third-party service. Risk assessment is the name of the game here. As your organization scales up and resources become even more limited, risk assessment will help you determine where and how to direct your security efforts without depleting your resources.
1. Risk Assessment
Risk assessment is a key element in any information security program. Part of the risk assessment program at any organization is identifying potential risks that may stem from the reliance on 3rd parties.
To perform a thorough risk assessment, there are a few main questions you need to address:
- Will the vendor have access to sensitive information?
- What problem is the vendor coming to solve?
- Does the company have something similar already?
I can’t give you an if/then flowchart for answering these questions or a sliding scale to live by. Each company’s specific infrastructure and needs set the tone for risk assessment. Risk assessment processes will eventually save you some time and effort down the line and the questions will become easier to answer.
Once you’ve established the answers for these 3 questions can help you to navigate your decisions and prioritize them.
Your security requirements should be stipulated in the legal contract you sign with the vendor. It will help to speed up the vendor security assessment process by centralizing your requirements in one format.
In my career, I have seen many vendors try to bluff their way to good answers on a vendor security questionnaire. You need to make sure that the discussion is held with the security team present so that the direct questions that need to be asked are addressed and an open and professional discussion can be held.
Finally, if vendors flat out refuse to agree to certain provisions or requirements, that’s a potentially useful signal as to their overall commitment level to security, as well as to what risk areas to dig into further.
2. Prioritizing decisions, automating the process and providing visibility
Slowing down processes, closing the gates and acting all hush-hush about your security processes is not the way to go.
AppsFlyer’s security approach is one of agility, and it has proven itself useful as we’ve scaled up. By maintaining constant contact with the various departments, we address security questions without slowing down processes (or, in the very least, doing our absolute best to not be the bottleneck). The “gates” need to remain open, with someone on guard duty at all times.
Of course, this doesn’t mean that we abandon all processes, but if we determine the risk from a certain vendor to be very limited, we see no reason for additional security checks.
Automating the process
Try to automate the process as much as possible. This could mean buying software that helps manage your risk assessment processes and relationships with vendors (just remember to vet the software vendor first, wink wink).
This will allow your team to scale and this will reduce the friction that different teams have from waiting to answers that the security team need to provide.
Make sure the processes and reasoning behind them are clear; not only internally to the security team, but to the employee or team asking to hire the vendor, as well as the vendor itself. Make sure that everyone involved is updated on the status of the request and what gaps or issues exist (if any).
3. Continuous monitoring
Security is fluid, it is never static. Ongoing, continuous monitoring is crucial to your company’s security health.
Organizations evolve; they get acquired and transfer their data to another company, change their standards or move their headquarters. If a vendor you’re working with gets acquired, for example, the vetting process must start over from scratch; you’re essentially evaluating a whole new vendor. Stagnant waters reek; make sure you’re continuously reevaluating the vendors you’ve already hired.
Making security part of your organization’s DNA
Third-party risk is just one of many elements when it comes to your organization’s security efforts. Putting security at the forefront of every stage of innovation and growth means you’ll always be one step ahead when it comes to risk mitigation.
Manage the 3rd party risks; don’t let them manage you.
Watch as our very own CEO Oren Kaniel discusses 3rd party risk, one of the 4 pillar elements of a mission-critical marketing platform.