Party lines. Since we just finished an election cycle, I am sure you have heard that phrase many times over the last few weeks. However, I am not referring to the propensity of political candidates to stoutly stand for or against a referendum based on their political party. I am actually referring to a long lost term regarding local telephone circuits shared by multiple subscribers. Party lines were a standard service offered by early telecommunications company for many years. For today’s modern cell phone user, the idea of sharing a telephone line with multiple people seems absurd. However (according to Wikipedia), the last party lines were decommissioned in 1991 – not that long ago. Even so, it seems almost inconceivable that, at one time, to telephone someone you had to ask the operator to connect you and then had the possibility that someone could pick up another phone and interrupt your call. Believe it or not, that’s how it was.
Telecommunications has come a long way and we no longer have to worry about this situation. But I am bringing up this topic because of a similar situation modern companies have to contend with today – the Third Party ecosystem that has become a part of every enterprise. It may not be as bad as sharing a telephone line but the interconnectedness between companies is becoming more and more complex. And the worst part of it is that many companies do not actually know all of the entities that they are connected to for business services, supply chains, infrastructure services and a host of other business purposes. It is like picking up that telephone line and not really understanding who is on the other end – or who could be on the other end.
Vendor Management has become a huge risk area for many companies today. In terms of managing security risks, the constantly growing number of vendors and service providers is an area that IT security functions can no longer ignore. Too many times, the security function finds out about external connections too late in the game or, in the worst cases, after an external party is the source of a significant breach. We have seen it in the news regarding some of the biggest breaches and it will continue to be a growing problem for IT security. All companies do NOT manage security equally. Smaller vendors - while potentially absolutely critical to your business processes - may be significantly challenged with managing and tightening down security. Therefore, the weakest link - a staple in the vernacular of security professionals - is exceedingly appropriate in this conversation.
Gartner just released its Magic Quadrant for IT Vendor Risk Management. (See my previous blog for more information) The report outlines the importance of managing the lifecycle of vendors for many different reasons. The information security implications are evident and obvious. The domino effect of a security compromise is a threat scenario that should be investigated and analyzed by every security team. Who are you connected to? Who is connected to you? Who are THEY connected to? Where are the access points and methods? The list goes on when managing security risks around vendors and suppliers.
Most security functions have included these scenarios in their technical schemes but given the seriousness of some of the cascading data breaches, this should be an area where security strategies must be constantly evaluated. Vendor Management is a relevant, high risk, high impact area where the security processes should be actively engaged. Unraveling your business connections and realizing you have been compromised due to a "party line" is not what you want in the middle of serious security incident. Understanding who you are connected to and the business context around that connection will allow you to prioritize and address a serious part of the risk landscape.
For more information on IT Vendor Risk Management, see Gartner’s report at: http://www.gartner.com/technology/reprints.do?id=1-23OFWI3&ct=141028&st=sb