Industry executives and experts share their predictions for 2023. Read them in this 15th annual VMblog.com series exclusive.
Why third-party vendor security compliance is coming in 2023
By Asaf
Kochan, Co-Founder and President of cloud data security company, Sentra
Over the last decade, one of the most common debates
among large enterprises revolved around how to find and use the best
technology: is it better to build it yourself, or to buy a solution from a
third-party vendor? As we enter 2023, the market has made its opinion clear.
The rise of solutions like Salesforce, Snowflake, Gong and Twilio have shown
that it's more efficient and effective to use an exceptional third-party vendor
than to use massive amounts of resources to build an inferior solution. And beyond
these market-leading vendors, today's enterprises now trust a web of
third-party providers for common services and point solutions.
These service providers have undoubtedly made it easier for enterprises to
scale their operations and add new functionalities. However, there is an
inherent risk when trusting third parties to join your technology stack.
According to research from Gartner, 83% of legal and
compliance leaders claim that third-party risks are identified after initial
onboarding and due diligence. This overwhelming majority shows that current due
diligence approaches and risk management strategies are unable to handle the
risks that come with onboarding third-party services.
Many
organizations are now conducting vendor assessments, keeping a catalog of all
their vendors, which data each vendor stores, and more. This provides some
level of risk control and knowing how their data is secured, but it isn't good
enough for the challenge at hand. In 2023, we will see a formalized
approach to vendor security compliance become more common among enterprises.
Maintaining security compliance will become a standard entry ticket for those
vendors looking to operate in cloud environments.
Why
formal vendor compliance matters
Think about some of your most important
personal documents: your birth certificate, your medical records, your
passport. You probably keep the original copies of these documents in a safe
place at home - you know where they are at all times and you know that a bad
actor cannot access them. Sometimes, a reputable organization might require you
to make a copy of one of these documents: a government agency needs a copy of
your birth certificate to issue benefits; or a medical specialist needs a copy
of your records. We trust that these organizations are reputable and have the
standards in place to protect our sensitive information.
But unfortunately, sometimes we give copies of
our important documents to organizations that aren't as secure as we expected. A good
example of this is the breach of Experian in 2015, which exposed
millions of users' social security numbers to bad actors.
These principles of trust and security are
simple, yet we continue to see enterprises ignore them when they work with third-party
vendors. An enterprise's sensitive data is the equivalent of your birth
certificate or social security number. Every enterprise is probably confident
that the sensitive data is secure within their own systems. But what happens
when a service needs a copy of that data to function? Is the service more like
a secure government agency, or is it more like Experian?
Organizations must have the ability to tag their sensitive data and track where
it's going - including copies. Tracking this data can reveal surprising
vulnerabilities. The data could be traveling to a foreign server, taking it out
of compliance with geographic regulations, or a bad actor could be accessing it
at the same time every night. These unpleasant revelations show that
enterprises need the ability to protect their data even when it's in motion or
being stored outside their owned systems.
Standards
for formal vendor compliance
What do enterprises need to consider as they
establish formal compliance standards for their third-party vendors? At the
most basic level, enterprises need to know that their sensitive data will
travel and maintain its security posture, regardless of where or how the
service provider plans to use the data.
This is the season for New Year's resolutions. In 2023, organizations must
resolve to protect their sensitive data and work only with those partners who
can ensure the same level of protection.
##
ABOUT THE AUTHOR
Former Commander of Unit 8200, Israel’s elite military technology and cyber unit. Methodological, analytical, and results-driven, Asaf is an experienced cybersecurity leader with a broad perspective on global cyber threats.