Virtualization Technology News and Information
Sentra 2023 Predictions: Why third-party vendor security compliance is coming in 2023


Industry executives and experts share their predictions for 2023.  Read them in this 15th annual series exclusive.

Why third-party vendor security compliance is coming in 2023

By Asaf Kochan, Co-Founder and President of cloud data security company, Sentra

Over the last decade, one of the most common debates among large enterprises revolved around how to find and use the best technology: is it better to build it yourself, or to buy a solution from a third-party vendor? As we enter 2023, the market has made its opinion clear. The rise of solutions like Salesforce, Snowflake, Gong and Twilio have shown that it's more efficient and effective to use an exceptional third-party vendor than to use massive amounts of resources to build an inferior solution. And beyond these market-leading vendors, today's enterprises now trust a web of third-party providers for common services and point solutions.

These service providers have undoubtedly made it easier for enterprises to scale their operations and add new functionalities. However, there is an inherent risk when trusting third parties to join your technology stack.

According to research from Gartner, 83% of legal and compliance leaders claim that third-party risks are identified after initial onboarding and due diligence. This overwhelming majority shows that current due diligence approaches and risk management strategies are unable to handle the risks that come with onboarding third-party services.

Many organizations are now conducting vendor assessments, keeping a catalog of all their vendors, which data each vendor stores, and more. This provides some level of risk control and knowing how their data is secured, but it isn't good enough for the challenge at hand. In 2023, we will see a formalized approach to vendor security compliance become more common among enterprises. Maintaining security compliance will become a standard entry ticket for those vendors looking to operate in cloud environments.

Why formal vendor compliance matters

Think about some of your most important personal documents: your birth certificate, your medical records, your passport. You probably keep the original copies of these documents in a safe place at home - you know where they are at all times and you know that a bad actor cannot access them. Sometimes, a reputable organization might require you to make a copy of one of these documents: a government agency needs a copy of your birth certificate to issue benefits; or a medical specialist needs a copy of your records. We trust that these organizations are reputable and have the standards in place to protect our sensitive information.

But unfortunately, sometimes we give copies of our important documents to organizations that aren't as secure as we expected. A good example of this is the breach of Experian in 2015, which exposed millions of users' social security numbers to bad actors. 

These principles of trust and security are simple, yet we continue to see enterprises ignore them when they work with third-party vendors. An enterprise's sensitive data is the equivalent of your birth certificate or social security number. Every enterprise is probably confident that the sensitive data is secure within their own systems. But what happens when a service needs a copy of that data to function? Is the service more like a secure government agency, or is it more like Experian?

Organizations must have the ability to tag their sensitive data and track where it's going - including copies. Tracking this data can reveal surprising vulnerabilities. The data could be traveling to a foreign server, taking it out of compliance with geographic regulations, or a bad actor could be accessing it at the same time every night. These unpleasant revelations show that enterprises need the ability to protect their data even when it's in motion or being stored outside their owned systems.

Standards for formal vendor compliance

What do enterprises need to consider as they establish formal compliance standards for their third-party vendors? At the most basic level, enterprises need to know that their sensitive data will travel and maintain its security posture, regardless of where or how the service provider plans to use the data.

This is the season for New Year's resolutions. In 2023, organizations must resolve to protect their sensitive data and work only with those partners who can ensure the same level of protection.




Former Commander of Unit 8200, Israel’s elite military technology and cyber unit.  Methodological, analytical, and results-driven, Asaf is an experienced cybersecurity leader with a broad perspective on global cyber threats.

Published Monday, January 23, 2023 7:35 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<January 2023>