W. Capra was pleased to host this edition of the TEC Roundtable, “Changing Weather Patterns: Managing Supplier Cyber Security Risk in the age of Cloud Services.” The following represents an overview of the meeting discussion and key points.

1. Technology Executives Club
Roundtable / SIG
Cyber Security & Risk Management
“Changing Weather Patterns: Managing Supplier
Cyber Security Risk in the age of Cloud Services”
Meeting Summary
January 29, 2016

2. W. Capra Consulting Group
Topic Overview
1
Addressing the challenges associated with managing
supplier cyber security risk:
 Supplier Visibility – identify shadow supplier
relationships that pose risk to digital assets
 Contracting and Accountability – identify key contractual
elements to ensure disclosure, remediation & recourse
 Measuring Security Effectiveness – assess capability of
existing controls and ongoing security program
 Incident Response Execution – ensure supplier security
incident (e.g., breach) is communicated and handled
effectively and efficiently
 Governance – continual monitoring and periodic review
to ensure effective controls are maintained

3. W. Capra Consulting Group
Discussion Points (1)
2
What’s the most significant struggle managing traditional
and cloud providers in today’s environment?
Predominant View – governance is the key to ensuring suppliers are
maintaining effective security controls.
Leadership Feedback
1. Visibility to the what’s being outsourced remains a challenge – business
stakeholders working outside of IT. Educating the business community
to the importance of IT involvement is key to closing the gap.
2. The ability to verify supplier controls at a detailed level - supplier
services are opaque.
3. Effective governance is required to ensure suppliers are delivering
services in a manner that provides the right protection for information
assets.

4. W. Capra Consulting Group
Discussion Points (2)
3
What security and risk due diligence/validation process do
you utilize when evaluating suppliers? Do you require
certifications (e.g., ISO 27002) or specific controls based on
the sensitivity of data included in scope?
Predominant View – Conducting surveys is the most common approach to
evaluating suppliers. The survey content is a derived from several sources –
National Institute of Standards and Technology (NIST), Cloud Security
Alliance (CSA) and others.
Leadership Feedback
1. Company brand is on the line. When a breach occurs the provider is
not in the headlines, it’s your brand. There has to be a level of due
diligence prior to contracting and throughout the relationship.
2. It’s a challenge to obtain “real assurance” there has to be a level of
trust.
3. Providers delivering industry solutions are beginning to push back on
the level of scrutiny. They have been vetted by many organizations and
point to achieved certification (e.g., ISO, SOC).

5. W. Capra Consulting Group
Discussion Points (3)
4
Does your organization view the risk of public IaaS, private
cloud, private hosted, PaaS or SaaS services differently?
Predominant View – supplier risk associated with SaaS, PaaS and public
IaaS services are perceived to be higher than private (company controlled)
services. The loss of visibility and control is a concern.
Leadership Feedback
1. Data classification influences what is hosted with providers versus
delivered in-house. The most sensitive data is hosted in-house.
2. Public IaaS services continue to improve security and provide more
options for customers to protect data. The key is architecting the
services preserve confidentiality of data at rest and in transit. Avoiding
multi-tenant application and data services is key.
3. In each scenario the same level of thought is required to ensure data is
protected. What shifts is the level of responsibility for applying and
maintaining the security controls.

6. W. Capra Consulting Group
Discussion Points (4)
5
How do you contract to hold suppliers accountable for
maintaining the right level of security? What recourse do you
have when they fall short on their contractual security
obligations?
Predominant View – The contracting process is essential to establishing the
right expectations and holding the supplier accountable for maintaining the
right level of security.
Leadership Feedback
1. Damages – supplier contracts include damages in the event a breach occurs
and company data is exposed
2. Brand exposure – suppliers are not able to disclose the company name in
the event a breach occurs
3. Data sovereignty – supplier must process and store data within a specified
geographical boundary
4. Security controls – company data must be encrypted at rest and in transit
using cryptography that, at a minimum, meets FIPS 140-2 standards

7. W. Capra Consulting Group
Discussion Points (5)
6
How frequently do you audit suppliers? Is there a defined
governance role? What’s the interaction with security?
Predominant View – The consensus view is an annual audit. The role
responsible for this varies across organizations. Security is most often
involved in the process to ensure it is effective.
Leadership Feedback
1. All organizations perform audits prior to contracting and annually
during the relationship.
2. Cloud Security Alliance (CSA) controls matrix is used to guide audit
activities for some organizations
3. The governance role must be more clearly defined in most
organizations. Establishment of Service Manager/Service Delivery
Manager role is needed.

8. W. Capra Consulting Group
Discussion Points (6)
7
How do you maintain visibility of what data is hosted where
within the organization – traditional hosting, public IaaS,
private hosted, private IaaS or SaaS?
Predominant View – The challenge persists throughout most organizations.
Accountability resides within the IT organization but there isn’t a consensus
regarding which role is responsible. The industry response is most often the
role responsible for information/data architecture.
Leadership Feedback
1. Working with internal partners to increase awareness is the key to
maintaining visibility to cloud/sourcing relationships.
2. This is an important issue as data sovereignty is a key issue and the
proper expectations must be established during the contracting
process.
3. Organizations are beginning the assess the effectiveness of Cloud
Access Security Brokers to monitor traffic patterns and identify “rogue”
services.

9. W. Capra Consulting Group
Questions We Didn’t Get
To Ask…
1. How do you validate security incident response processes
(notification/communication, impact analysis, remediation,
response)? How are supplier processes integrated with your
internal processes?
2. Are there any services that you would not outsource to a cloud
provider? For example, mission critical business services or
highly sensitive data (e.g., PCI, HIPAA).
3. How has the increasing Board responsibility for security
diligence impacted management of suppliers?
4. How are compliance requirements integrated with your due
diligence and review processes?
9

10. W. Capra Consulting Group
221 N. LaSalle, Suite 1325
Chicago, Illinois 60601
Security SIG Chairperson:
Matt Beale, Associate Partner, W. Capra mbeale@wcapra.com
(312)972-2433
Technology Executive Club Reference:
www.technologyexecutivesclub.com
www.technologyexecutivesclub.com/securitychicago