Is your security partner your weakest link?

Selecting your organisation’s cyber security partner is a daunting exercise under the best circumstances.

It’s always scary when you’re giving the keys to your corporate defences to an outsider. But as the complexity of cyber security management grows, it’s hard not to seek outside help as trusted allies in the fight against malicious attacks.

How can you be certain your choice of security partner is safe and reliable?

For some companies, a managed security services provider (MSSP) is the most cost-effective choice because the MSSP guarantees scalable resources and expertise to meet any eventuality. Still, it’s prudent to invest in independent, on-going risk management to maintain oversight and control.

Meanwhile, there are organisations that have the maturity and resources to exceed what an MSSP can provide but also recognise the on-going investment costs they will bear on their own.

Ultimately, choosing an MSSP versus deploying in-house security is a matter of strategy and not just tactics. It’s a choice between investing in security staff and tools in-house against investing in a partner whose primary focus is on deploying security solutions that fit a larger target audience.

Whatever the case, it's nearly impossible to do business today without working with partners in some capacity. Here are five best practices for proper cyber security in partner relationships.

Before sourcing a security partner, your organisation needs a clear understanding of the data it has, who has access to it, where it resides and how sensitive it is. At a bare minimum, you should be able to account for all the organisation's mission-critical and sensitive data. Ask the partner if sensitive data is encrypted, and if they have a data loss prevention plan and tools to implement it.

Often, new services (shadow IT) are added without the IT department’s knowledge. For example, it is not uncommon for staff to procure a SaaS application and pay for it through a project budget because they can’t wait for the IT department.

So, now the organisation has additional services whether it wants them or not. You must have a strategy for addressing shadow IT because you cannot secure data outflows from these shadow services if you are unaware of them.

Establish mutually agreeable benchmarks to assess your security partner’s performance. Fair and balanced metrics will provide the appropriate business context and set clearly defined, positive and negative performance thresholds.

Be consistent in collecting and processing the data so you have a historical perspective of how the partner has been performing. Ensure your legal department signs off on the metrics.

Even when metrics are in place, it’s important to address the risks in the contract with your cyber security partner. You must stipulate consequences for failing to perform and the expected remediation. These can include:

• Software maintenance and accountability
• Vetting compliance and regulatory requirements
• Conducting regular audits

Including such ‘risk’ clauses will ensure there are incentives for the partner to effectively implement and maintain appropriate security controls and capabilities.

Audits are powerful tools to keep your security partner relationship in check. There are independent companies that can do this for the organisation, or your IT team can develop its own process.

As with overall metric collection, consistency is key in your audit. Use a simple five-point scale to score your audit responses and take steps to compare and gauge the consistency of your partner’s behaviour.

Interested to learn about what Singtel as a MSSP can do for your business? Speak to our advisor today.