Companies can no longer manage IT security alone. It's not an issue of weakness or inability; the network and end-point landscape has simply become too complicated for even enterprise IT teams to handle. As a result, more and more organizations are reaching out to third-party security vendors. For example, Computer Business Reviewreports 34 percent of UK companies already use managed security services, and 40 percent bring in outside security experts for specific problems. But just as differing technology threats pose varying degrees of risk, differing vendors have unique strengths and weaknesses. Here are three questions every CISO should ask a potential security provider before giving it corporate access.
1. How Do You Handle Data?
Data is the lifeblood of any organization, large or small. As a result, it's essential for CISOs to know how security vendors will handle their firm's data. How will data be analyzed? Where will it be sent? Who will retain ultimate ownership? On the surface, the answers to these questions may seem straightforward: Vendors play such crucial roles in the security ecosystem, surely they would never compromise company data.
But consider the recent problems faced by electronics manufacturer Samsung. According to an eSecurity Planet article, Samsung's new Smart TV not only transmits voice recognition data to a third-party service for conversion, but the company also acknowledges that "if your spoken words include personal or otherwise sensitive information, that information will be among the data captured and transmitted to a third party through your use of voice recognition." In an attempt to enhance the user experience, the company has opened up potential avenues of data exploitation via the use of a third party.
For CISOs, therefore, it's critical to ask this question: How will data be handled, and who will have access? The right security vendor will access only the absolute minimum and never forward it to other partners.
2. What's Running on Corporate Networks?
The next big question for CISOs concerns the kind of software a third-party vendor wants to install on corporate networks. As noted by a recent Computerworldarticle, "bloatware" — software loaded onto PCs and networks with the intention of advertising to users — has prompted backlash from security advisers and consumers alike who worry about what else the software may be carrying. And while it's unlikely a third-party security vendor will be stuffing servers full of malware or spyware, CISOs cannot operate on that assumption alone. What if a vendor builds its proprietary app using free source code that contains a known vulnerability? What if its installation creates an unintentional backdoor? Ideally, vendors should be able to supply a cloud-based alternative that eschews the need for traditional installation in favor of on-demand security controls.
3. What Can I Take Back to the Board?
According toForbes, CISOs cannot act as technology advocates alone: They must bring actionable insight back to the board. This means CISOs must be forthright with security vendors when asking about outcomes and expectations. Are end-to-end or point-based detection methods being used? Who is notified in the event of a breach, and what kind of report is generated? By addressing these questions before moving forward with a vendor, CISOs can avoid uncomfortable questions in the boardroom and help ensure budget requests for increased security spending are backed up by hard evidence.
Third-party security vendors are now critical parts of enterprise IT infrastructure. For CISOs to get their money's worth — and enjoy peace of mind — it's essential to ask about data, software and actionable returns.
Photo Source: Flickr