I recently attended to the EU Cybersecurity conference. One word was constantly coming up; ‘trust’. It is considered as the corner stone of any security strategy. Does it mean security is all about trust?
To be able to work with any another entity, company or institution some level of trust is needed.
How trust can be achieved? Suppliers are always saying that they handle security seriously. Everybody trusts them because so few of us are taking security seriously, perhaps because not many of us really understand what security means! Have you read the ‘security statement’ of your online banking? You should, you'll find it very educational!
Is it enough to tell my partners that I am serious about security? Or that I am carefully following security best practices? No! Which security best practices are we talking about? My clients' or mine? Because best practices are not the same for every businesses or organizations!
We have to have the trust of our partners. Without trust there's no business. We could allow them to run a full audit. However it is simply not practical for suppliers to allow all clients to run audits whenever they want on whatever scope.
The more security aware organisation would request their partners to be certified. There's plenty of security certifications: PCI-DSS, ISAE 3402, ISO 27001 etc. Although a step in the right direction, it is not enough for comfort.
Useful questions to ask:
- Is certification continuous process or a one shot certification?
- Is it a well-known and recognized certification?
- What is the scope of the certification?
- Is the auditor respected as reliable?
The answers to questions will help you understand your supplier's approach to security. There will be blurred areas, as even an external auditor cannot audit the entire environment, but you are now in a good position to gauge if you can trust the certification - and your partners.
What about the areas not covered by any certification?
Should you disregarded any supplier without certifications?
Not necessarily! Some areas of you business may be less critical and security there could be lowered.
Before you can trust the relationship you need to understand your risks and how your suppliers manage their own risks .
I am providing information security officer consultancy for multinational clients and governmental institutions. Being paranoiac as any security responsible, I am quite relax at home enjoying family. My work has driven me to work with many different cultures that I am so happy to meet during my vacations.
Working in the security for so much time, I have seen the evolution of the mentality but I dream for more. But dreaming is not enough…Let’s work on it!