A quote in an article I read years ago about a very successful investor (it might have been Warren Buffet) seems incredibly relevant to me today. It went something like: “The average investor reads an interesting news article about a significant trend or issue and asks, ‘What is the impact of this news?’ An astute investor reads the same article and ask, ‘What are the implications of this news?’ It is only through tracing these implications to their logical end that the real impact can be determined.”
Fast-forward a decade, and several years ago we were smart enough to read the tea leaves and see that there was a growing trend towards third-party attestation of information security for vendors/partners handling sensitive data on a client’s behalf. Pivot Point Security was one of the first US firms to actively promote ISO 27001 in response to this trend — which has paid off handsomely as we are a leader in providing ISO 27001 pre- and post-certification consulting/assessment services.
Now as we look at this issue more deeply and trace the implications to their logical end, they are turning out to be even more notable and significant than we initially imagined:
- Bigger companies have begun to perform “due diligence” (e.g., Vendor Risk Management) on the companies they outsource to, which are largely smaller companies (e.g., SaaS vendors, data processors, hosting providers, etc.).
- As Vendor Risk Management Programs (VRMP) evolve, the level of due diligence does as well; based on principles of continuous improvement, enterprise risk management, and continued breaches despite initial due diligence.
- VRMPs end up imposing fairly notable security requirements (e.g., Shared Assessment, ISO 27001, SOC2) on their partners/vendors.
- Eventually the expectation becomes that the security infrastructure/maturity of the vendor/partner be effectively equivalent to that of the customer. At that point there is no difference between Enterprise Information Security and SMB Information Security.
- As SMB vendors/partners are forced to implement Enterprise Level Security, their costs skyrocket.
- As VRMPs need to validate that vendors/partners have Enterprise Level Security, the cost to implement and operate the VRMP skyrockets.
- As VRMP costs skyrocket, bigger companies make a concerted effort to reduce the number of “approved” vendors to control these costs.
- Well-funded, well-connected SMB vendors successfully implement Enterprise Level security and establish significant barriers to entry for other SMBs as they become providers of choice.
- Less well-funded, later-to-the-game SMBs eventually abandon the Enterprise markets.
- As SMBs are forced to apply the same standards to their vendors, the requirement to provide services to much of the SMB market and the Enterprise market become the same.
I think we are further along the above continuum than most people would think. It’s pretty clear that VRMPs have gone mainstream and/or that most entities that provide business services relating to sensitive data (e.g., PHI, PII) understand that the price to play is (or will soon be) more advanced forms of attestation (e.g., ISO 27001, SOC2).
What opened my eyes was sitting in on the execution of a VRM audit against one of our clients last week by a Fortune 100 firm. Despite the fact that our client has less than 100 employees, there was an expectation that they would be operating password vaulting, SIEM, NAC, and both network and host intrusion prevention. During a break, I had a chance to talk to the F100’s auditor about the “implications” of their approach. In short, he concurred and acknowledged that they were looking to reduce the number of vendors/partners they were using by more than 50% over the next few years. FedRAMP is essentially driving the same requirements/conclusions for those providing data services to the Federal Government.
We are seeing this change the conversation with our clients; driving Information Security Strategy upstream into the CXO suite, as they reach a point where they need to rationalize Information Security investments against the business risk of losing key Fortune 1000 clients, rather than against the information security threats they are intended to mitigate.
The post Vendor Risk Management: The End of “SMB Information Security” appeared first on Pivot Point Security.