While it was difficult to decipher sometimes, some of the signals I heard that cut through the noise at RSA Conference 2016 were that security companies today are selling their expertise as well as the capabilities their software offers—rather than focusing on selling products and solutions. As I walked past each booth, a large number of them appeared to be selling features that belonged within a solution offered by a ‘bigger’ vendor in a booth three rows over.
Given this observation—coupled with numerous conversations with speakers and attendees throughout the week—I expect we’re about to see some consolidation in the security industry.
Additionally, I expect we will continue to see some software firms invest in companies/teams in order to acquire the solution capabilities/expertise they want. Others may choose to invest as part of a venture capital team (Dell Ventures, for example) in order to have more leverage as a strategic partner down the line.
Digging deeper in the conversations heard during keynotes, panels and sessions, one of the discussion topics that particularly caught my attention was the desire to measure—and possibly even manage—the security risk (and postures) of third-parties. This was definitely a hot topic during RSA Conference 2016.
One panel member I saw focused on the need to embrace risk-based programs overall, suggesting that CISOs need to find the tools that help build trust with their third-party security vendors. As the trust evolves, so too will the business relationship.
Another member of a CISO panel I attended described how his company requires software vendors to complete an online procurement questionnaire when a business unit wants to buy their software. The vendor has to fill out the questionnaire to demonstrate their security and compliance posture. This CISO doesn’t tell the business unit managers that they can’t use the software if it is the only one available for a particular business process, but he warns that his infosec team will need to engage in additional (layers of) assessments and apply additional controls as a means to identify and plug any security holes associated with that vendor.
Another CISO warned that some vendors may not manage their employee directories and related access rights with the same level of due diligence you would expect. Some companies may have a large employee base with many people who have access to office buildings, systems, applications, and data. It can be an enormous task to see how many people have access—in some cases, these vendors could still grant access to people who no longer work for the company.
Other panel members talked about seeing a shift—from sending a blanket survey to all of their third-party vendors—to a process whereby their vendors are categorized and layered based on which ones they care about most from a risk perspective. They look at which vendors have access to critical data and could represent a catastrophic event if that data was breached through that third party.
The riskier the vendor, the more due diligence was required; usually in the form of additional inquires, automated technical assessments, and deep-dive onsite assessments. For some firms, there are just too many third parties on the vendor list to worry about all of them.
Just because it’s tedious doesn’t mean it’s not important. Assessing third-party security postures is crucial given today’s threat landscape and the realities of today’s network infrastructures. There’s no longer a perimeter—data and users can be anywhere. And third-party vendors are part that environment.
Enterprises thus have to look at how their partners access their systems and data, and then deploy intelligence around that access to identify security risks. Many are looking for ways to automate this process. Fortunately, there are companies looking to address this need.
One member of another conference panel liked the idea of automated continuous assessments of third parties to constantly measure security postures across the board. The caveat here, however, is that technologies that can do this may report a score that changes, which could drive a company’s cyberinsurance carrier to change its position on their client’s policy.
The positive side of this, however, is that organizations can see the trend of how well their vendors are managing their security posture over time. It would be good to know that your entire vendor pool is improving in their overall risk posture (risk score)—this ultimately equates to lower risk for your business.
I also heard that it is difficult to for organizations to determine how to draw the line from an investment in a particular security technology to how it reduces risk—the industry can’t really answer this question right now, though I did come across some non-security companies looking to address this risk-analysis process.
There’s also now an increased focus on third-party contracts, which can include enhancements to the language surrounding the right to audit and the addition of the requirement to provide cyberinsurance breach coverage. When it comes to cyberinsurance, insurance companies underwrite the contractual exposure. If it seems as though a company has “bad” security, they can simply write their way out of it and find that they’re good in terms of coverage. I don’t know how long this will (can) last.
I also heard some panelists warn that small companies remain as prime targets for hackers. That’s because they have fewer information security resources and less funding; they are forced to pick and choose between business and security.
While a large company may be able to weather a threat storm, hackers recognize the resource limitations of smaller companies and will easily target and penetrate them, which could wipe out a small company. The breach could also give hackers access to any systems and data the third-party business partner holds on behalf of its up-level business relationships; credentials compromised at the third party effectively gives the hacker access to that company’s business partners’ systems and data.
Cyberinsurance is a closely-related topic to third-party risk and the business contracts that define these relationships. I did a lot of research on the cyberinsurance space while at the RSA conference and will soon have a separate article dedicated to this topic—stay tuned.
Finally, given another observation related to mergers and acquisitions, I also heard talk about the cyber risk associated with these transactions as well. Yet another, albeit slightly different take, on the third-party risk topic.