The security management of SaaS and Cloud providers is an essential element of a company’s cyber security strategy. The problem is that many companies don't even know how to start assessing these providers. Even if they do, it’s hard to scale an actionable program. However, a well-planned program will easily and quickly provide transparency into vendors’ security while facilitating significant improvements in your company’s own cyber security posture. By attending this webinar, attendees will learn how to: Tier provider evaluation based on the inherent risk/criticality of each relationship; Achieve transparency into your providers’ security practices; Implement compensating internal controls when the providers don't have or won't reveal their own; Collaborate with your providers to ensure success in the remediation process; Create KPI's to help manage, improve the process and demonstrate achievements.

1. Confidential
Managing the
Security of Your
SaaS and Cloud
Providers
1
The Guide to

2. Confidential
Why
Manage
Your Cloud
and SaaS
Providers
● Increase in Cloud apps
○ The average organization increased its usage of cloud
services by 15% from last year.*
○ The amount of sensitive data shared in the cloud has
increased 53% YoY.*
● Shadow IT
○ In 10 years, 90% of IT dollars will be spent outside of the IT
organization.**
● Providers as a threat vector
○ 59% of organizations experienced a data breach caused by
one of their third-parties.***
● (Lots of) New Regulations
○ GDPR, NY DFS, NY-SHIELD, CCPA, Hawaii, Maryland,
Massachusetts, Mississippi, Nevada, New Mexico, New
Jersey, North Dakota, Rhode Island, Texas and Washington.
2
* Cloud Adoption and Risk Report, McAfee, 2019
** Three Benefits of Shadow IT - and How to
Harness Them, ServerCentral
*** Data Risk in the Third-Party Ecosystem,
Ponemon, Nov. 2018

3. Confidential
Traditional Cyber
Security Vendor
Management
3
● One size fits all
● Questionnaires, anyone?

4. Confidential
There MUST Be a Better Way
4

5. Confidential
Polling
Question
For cloud and SaaS providers
that you assess, do you use
questionnaires?
○ Yes
○ No
5

6. Confidential
The
Problems
with
Tradition
1. There’s no context to the questionnaires
2. You don’t have the resources to scale to demand
3. You don’t know the real security state of your
providers on Day 1, let alone on Day 60.
4. The provider has a security gap… what do you do?
6

7. Confidential
How Does
the Provider
See It?
7
The 10 excuses of
providers

8. Confidential
How Does
the Provider
See It?
8
The 10 excuses of
providers
1. The dog ate my questionnaires
2. The font was too small
3. You sent it as a Google sheet? We restrict access to Drive.
4. It was sent as an attachment. Must’ve been filtered out.
5. The questionnaire never got to the right person
6. The questionnaire was too long
7. The questionnaire has nothing to do with my business
8. If I ignore, will you really not hire me?
9. I found an issue, what do we do?
10.Our technical manager went on vacation. Already a year ago.

9. Confidential
It’s 2020
and You’re Still Using
Manual Questionnaires.

10. Confidential
Is Automation
the Answer
to All the
Problems?
NO!
10
1. You need context
2. You need visibility
3. No more providers excuses

11. Confidential
Issue #1
You Need
Context
Define the relationship - Consider*:
● Business sponsors
● Which data is involved
● How the data flows
● What you’re using the data for
● Who will have access
● Do they use sub-contractors
11
* Defined by Ron Peled, former CISO, LivePerson, founder ProtectOps Security
For more info, see here: https://blog.panorays.com/context-in-your-third-party-security-process

12. Confidential
● Analogy: If a a restaurant has dirty windows,
how clean do you think the kitchen will be?
● Combine questionnaires with external scanning
for an in-depth read on the company’s cyber
posture
● Effective tool for continuous monitoring
● Review on a policy-driven cadence
12
Issue #2
You Need
Visibility

13. Confidential
Polling
Question
What kind of monitoring
process do you have in place?
○ None
○ Repeat reviews
○ Vendor self-reporting
○ Scanning
13

14. Confidential
Issue #1
You Need Your
Providers to
Stop Giving You
Excuses
● Give context also to your suppliers
Make questionnaires as short and relevant as
possible, based on business relationship
● Give your suppliers an understandable, actionable
remediation plan
14
Remediation Recommendations
Fair > Very Good
Fastest Impact:
The supplier needs to remediate 2 critical findings:
Make sure that an open external database is closed.
Make sure that an open DNS zone transfer is closed.

15. Confidential
Polling
Question
How do you share findings with your
providers?
○ We don’t share findings
○ We communicate on them via email
○ We communicate through a
dedicated risk platform
15

16. Confidential
Building
Your
Program

17. Confidential
Step by Step
to Building
Your Program
1. Identify stakeholders
2. Define tiers for the provider portfolio
Inherent risk profile based on unique business relationship
Define the security policy for each tier
3. Define the standard of care for each tier
Review methodology
Frequency of repeat reviews
There’s an alert… what to do?
4. Focus on providers that don’t adhere to policy
Remediate?
Implement compensating internal controls?
Fire them?
17

18. Confidential
The Effective &
Comprehensive
Program

19. Confidential
1. Analysis
2. Engagement
3. Remediation
Vendor doesn’t respond -> Compensating controls on
your end (for instance, less access, portal on your end)
4. Approval
5. Monitoring
Add KPIs, historical graphs and benchmarks:
Sell the benefits your program internally
19
Step by Step to a
Comprehensive
Program

20. Confidential
Summary

21. Confidential
Case Study
Sell Your
Program
Internally
● Insurance company, assessing 200 providers.
● CISO built a provider security program:
○ Kickoff: align Board of Directors on the need for provider
security management.
○ Each quarter: CISO leverages the Board meeting to include
dashboard on the state of provider cyber-security:
■ How many are critical
■ What is the risk
■ How to ensure providers increase security
■ Compensating controls to decrease risk
● Meeting also sets a bar to the organization’s own security
posture.
● Self risk assessment leads to a discussion on budget and
strategy that the Board is aligned to.
● Organization sees themselves also as providers and so boasts
their own cyber posture to their business partners.
21

22. Confidential
22
Automated
Third-Party
Security
Lifecycle
Management