The security management of SaaS and Cloud providers is an essential element of a company’s cyber security strategy. The problem is that many companies don't even know how to start assessing these providers. Even if they do, it’s hard to scale an actionable program. However, a well-planned program will easily and quickly provide transparency into vendors’ security while facilitating significant improvements in your company’s own cyber security posture.
By attending this webinar, attendees will learn how to:
Tier provider evaluation based on the inherent risk/criticality of each relationship;
Achieve transparency into your providers’ security practices;
Implement compensating internal controls when the providers don't have or won't reveal their own;
Collaborate with your providers to ensure success in the remediation process;
Create KPI's to help manage, improve the process and demonstrate achievements.
2. Confidential
Why
Manage
Your Cloud
and SaaS
Providers
● Increase in Cloud apps
○ The average organization increased its usage of cloud
services by 15% from last year.*
○ The amount of sensitive data shared in the cloud has
increased 53% YoY.*
● Shadow IT
○ In 10 years, 90% of IT dollars will be spent outside of the IT
organization.**
● Providers as a threat vector
○ 59% of organizations experienced a data breach caused by
one of their third-parties.***
● (Lots of) New Regulations
○ GDPR, NY DFS, NY-SHIELD, CCPA, Hawaii, Maryland,
Massachusetts, Mississippi, Nevada, New Mexico, New
Jersey, North Dakota, Rhode Island, Texas and Washington.
2
* Cloud Adoption and Risk Report, McAfee, 2019
** Three Benefits of Shadow IT - and How to
Harness Them, ServerCentral
*** Data Risk in the Third-Party Ecosystem,
Ponemon, Nov. 2018
6. Confidential
The
Problems
with
Tradition
1. There’s no context to the questionnaires
2. You don’t have the resources to scale to demand
3. You don’t know the real security state of your
providers on Day 1, let alone on Day 60.
4. The provider has a security gap… what do you do?
6
8. Confidential
How Does
the Provider
See It?
8
The 10 excuses of
providers
1. The dog ate my questionnaires
2. The font was too small
3. You sent it as a Google sheet? We restrict access to Drive.
4. It was sent as an attachment. Must’ve been filtered out.
5. The questionnaire never got to the right person
6. The questionnaire was too long
7. The questionnaire has nothing to do with my business
8. If I ignore, will you really not hire me?
9. I found an issue, what do we do?
10.Our technical manager went on vacation. Already a year ago.
11. Confidential
Issue #1
You Need
Context
Define the relationship - Consider*:
● Business sponsors
● Which data is involved
● How the data flows
● What you’re using the data for
● Who will have access
● Do they use sub-contractors
11
* Defined by Ron Peled, former CISO, LivePerson, founder ProtectOps Security
For more info, see here: https://blog.panorays.com/context-in-your-third-party-security-process
12. Confidential
● Analogy: If a a restaurant has dirty windows,
how clean do you think the kitchen will be?
● Combine questionnaires with external scanning
for an in-depth read on the company’s cyber
posture
● Effective tool for continuous monitoring
● Review on a policy-driven cadence
12
Issue #2
You Need
Visibility
14. Confidential
Issue #1
You Need Your
Providers to
Stop Giving You
Excuses
● Give context also to your suppliers
Make questionnaires as short and relevant as
possible, based on business relationship
● Give your suppliers an understandable, actionable
remediation plan
14
Remediation Recommendations
Fair > Very Good
Fastest Impact:
The supplier needs to remediate 2 critical findings:
Make sure that an open external database is closed.
Make sure that an open DNS zone transfer is closed.
15. Confidential
Polling
Question
How do you share findings with your
providers?
○ We don’t share findings
○ We communicate on them via email
○ We communicate through a
dedicated risk platform
15
17. Confidential
Step by Step
to Building
Your Program
1. Identify stakeholders
2. Define tiers for the provider portfolio
Inherent risk profile based on unique business relationship
Define the security policy for each tier
3. Define the standard of care for each tier
Review methodology
Frequency of repeat reviews
There’s an alert… what to do?
4. Focus on providers that don’t adhere to policy
Remediate?
Implement compensating internal controls?
Fire them?
17
19. Confidential
1. Analysis
2. Engagement
3. Remediation
Vendor doesn’t respond -> Compensating controls on
your end (for instance, less access, portal on your end)
4. Approval
5. Monitoring
Add KPIs, historical graphs and benchmarks:
Sell the benefits your program internally
19
Step by Step to a
Comprehensive
Program
21. Confidential
Case Study
Sell Your
Program
Internally
● Insurance company, assessing 200 providers.
● CISO built a provider security program:
○ Kickoff: align Board of Directors on the need for provider
security management.
○ Each quarter: CISO leverages the Board meeting to include
dashboard on the state of provider cyber-security:
■ How many are critical
■ What is the risk
■ How to ensure providers increase security
■ Compensating controls to decrease risk
● Meeting also sets a bar to the organization’s own security
posture.
● Self risk assessment leads to a discussion on budget and
strategy that the Board is aligned to.
● Organization sees themselves also as providers and so boasts
their own cyber posture to their business partners.
21
DOV.
Bubble metaphor
Hearing from people – privacy regs
DOV
DOV
DOV
DOV.
Point #2: You’re one person and hundreds/ thousands of vendors
DOV
DOV
DEMI
DEMI
DEMI
- Business Sponsors have information you (the IT Risk pro) need in order to understand context
DEMI
Tier vendors based on risk/criticality – drives the frequency (cadence) of re-reviews
Stay in touch with business sponsor – relationship might have changed!
DOV
DEMI
DOV
DEMI
DOV
DOV
DOV
DEMI
CISO built a provider security program:
Kickoff: align Board of Directors on the need for provider security management.
Each quarter: CISO presents a 2-3 hour 100-page deck on the security state of the organization
CISO leverages the meeting to present dashboard on the state of provider cyber-security:
How many are critical
What is the risk
How does the organization ensure the providers increase security
Compensating controls to decrease risk
Sets a bar also to their own security posture. Going above and beyond the rating threshold they set for the providers
Self risk assessment leads to a discussion on budget and strategy that the Board is aligned to.
Organization sees themselves also as vendors and so boasts also on their own cyber posture beyond internal tests
DEMI