Outsourcing: 'Throwing out the baby with the bath water'
Despite the fact that recent privacy legislation (e.g. GDPR, CCPA, etc.) and the reality that cyber criminals have identified that suppliers are now the 'weakest link', I'm still flabbergasted and the apparent apathy that businesses apply to 3rd party management.
When I was 1st introduced to the concept of Risk Management, the use of 3rd parties became an integral part of the risk mitigation tactics (5 Ts):
Take the opportunity
As a business, if you are faced with an issue that presented a danger or risk to your operations, you are faced with 2 main the options:
Often the latter option (Transfer & Take the opportunity) appear to be the most convenient and attractive option; negating the need to pay for additional technical controls and resources. However, this comes down to more than just finding a supplier and paying the fees.
Think of outsourcing as like trying to find a suitable 'Daycare'/'Nursery' for your child.
Careful selection requires lengthy market sampling, speaking to existing customers and carrying out due diligence on the supplier. A business should never, ever take the suppliers word at face value and make sure that sufficient due diligence is carried out, before whittling the market down to a preferred 3 suppliers - This may take several months!
Having selected your 3, next thing to do is to try to estimate your costs if you were to have chosen option 1 and carried out the service yourself. This is your benchmark!
Next is to make sure that the contract is robust, so that it clearly states your expectations and the repercussions for failing to fulfill their obligations, and to provide you with the service that you are paying for. Most importantly, if they are supporting your sensitive data operations, make sure that the contract includes their obligations to safeguard the data being shared with them and ensure that you have included compromise notification (loss of service, loss of data, etc.). The due diligence may need to be revisited, to ensure that the suppliers promises to meet their contractual obligations and if you still have any doubts, ask for a 'Proof of Concept' (It takes a brave person to buy a car with test driving first).
Remember, your contract is not a 'Wish List'!
Having completed the lengthy process of selecting and evaluating, and onboarding your new supplier, you have entered into a mutual relationship. They are helping your business and you are helping them with theirs. However, the larger the supplier's customer base, the greater the challenge of feeling that your business matters and for the start up supplier, are they capable of meeting the capacity challenges? Of course, it is in the interest of your supplier to ensure that you're still content with the service your receiving but often the relationship can be likened to a teacher's relationship with their class. They are focused on the noisy or misbehaving children and don't realise there's a problem when their 'quiet' students grades start to drop, or they are faced with the angry parents.
Option 2, may seem to be the easiest choice but in reality it only transfers the service function but NEVER transfers the responsibility. If you fail to make the right choices, or do not maintain that working relationship and governance of the supplier, the blame game stops with you.
In the event of a breach your customers will always see it as being your responsibility
A common mistake made by retailers, within PCI DSS, is to assume that they have NO RESPONSIBILITIES in regard to compliance. If your business has fully outsourced to a 3rd party supplier, for the processing, transmission or storage of customers cardholder data. If you are a merchant receiving funds, as the result of your customers making payments by credit/debit card through outsourced services, you are still accountable. Consequently, PCI DSS includes a full control section focused on the use of 3rd parties (12.8 (12.8.1 - 12.8.5) and for the smaller merchants, a dedicated self assessment questionnaire (SAQ A).
Start to take outsourcing seriously and dedicate sufficient effort, time and resources to manage this relationship. The use of 3rd party suppliers can be extremely detrimental to your business, so it is essential that you can sufficient, and ongoing, reassurance that the services being provided continue to meet your expectations.
If you are unsure as to how effectively manage your 3rd parties, may I suggest that you obtain a copy of ISACA's Vendor Management guide. This will provide you with some industry insights to help you evaluate the effectiveness of your 3rd parties, keeping your services operational (avoiding costly outages) and your sensitive data safe. This includes some very useful appendices:
Vendor selection dashboard
Call for tender template
Call for tender checklist
Drafting the contract: High-level legal checklist for non-legal stakeholders
Example contract template
Continue to review the relationship, periodically evaluate the market and do not be afraid of changing suppliers. In the PCI DSS world, it is common for a business to become 'comfortable' with their PCI DSS support services (e.g. QSA, ASV, Penetration Testing, etc.).
However, in reality, would you consider only ever visiting the same car dealer and only ever considering the purchase of the very same make & model of vehicle.
If the protection of your customers and your business' reputation are important to you, it is just important to ensure that your supporting information systems and data life-cycles are as robust in 'outsourced' operations, as they are in 'in-house' functions. Failure to address sufficient effort to ensure the safe and secure use of 3rd parties can be likened to throwing out the baby with the bath water.