The fact that communication is a vital aspect of successful third-party relationships is obvious. ("You mean to tell me I have to talk to the companies producing my code? Jeez, next you'll say I have to give them money or something!")
That said, simple statements can hold a lot of meaning, and woe be unto companies that don't do a good job communicating in all the forms that interactions with vendors and others can take. Effectively navigating a vendor/customer relationship from start to finish requires a concentrated effort from multiple arms of an organization; on the security side alone, "talking right" can entail multiple professional roles and several communication media, ranging from informal e-mails to contractual terms.
In other words, knowing what, how and why to communicate is crucial in keeping a given product secure — and it has to be done right from the very beginning.
What happens when third-party relationships experience faltering communications? In a word, chaos.
In a few more words, it depends on where that breakdown occurs. The term "bad communication" can cover things as simple as missed e-mails, and things as complex as bungled legal provisions; the negative effects of it are every bit as varied: missed time-to-market goals, blown budgets and misrepresented expectations, to name a few.
The goal isn't to be negative here, but to express just how important it is for communication to be handled with due concern at every level. When you're dealing with an entity you have less control over than a first-party arm by definition, it's often the best tool you have — and sometimes the only one.
The early stages of third-party relationships are all about setting expectations, and everything that follows centers around continually refining and enforcing them. From a security standpoint, setting those expectations largely comes down to knowing what your vendor will be doing and how its responsibilities can create potential security issues — and, of course, letting them know those potential issues.
Dialing further in on the security side, it's a good idea to let your third parties know exactly where their roles and responsibilities can butt against common security issues or (where applicable) industry regulations, how issues can arise from the sort of work they're doing/software they're providing, etc. While the specifics of this kind of mapping will vary from relationship to relationship, having internal or hired, specialized security personnel around during responsibility/role delegation can help your enterprise communicate what it wants and where its security concerns lie.
Once the relationship is established and the expectations are set, focus your communication efforts on ensuring things are going smoothly months or even years down the line. The newest iteration of the PCI-DSS recommends setting yearly "expectation summits" at a minimum; no matter what industry you're in, doing something similar can help both sides of your third-party relationships keep those goals in mind throughout the course of an agreement.
Don't Assume Transparency — and Play the Metagame
Transparent communication is effective communication. That makes ensuring transparency from your third parties (and offering it yourself, where relevant) a critical consideration, not something to take for granted or assume the best on.
Think about all the problems a third party could face or the changes it could undergo that might cause security concerns on your side. If your mental list gets long fast — or if the paper version could go for a few miles — consider making transparency in that regard a contractual term. You could require your vendors to tell you if key security personnel leave or if certain security issues arise, for instance, even if those changes don't appear to be directly related to your own project. Placing "triggers" like these in your contract literature prevents certain ethical dilemmas from occurring and gives vendors a clear path to take in the event of security-related problems.
Another unusual legal provision worth making is frequent (say, annual) review of the communications structure itself. Getting together with your vendors to iron out any wrinkles in the way you talk can open up the proverbial channels, cutting down potential incidents later and stressing to both sides how important clear talk is throughout the course of a relationship.
As the first party and a company rightly concerned about security issues, it's your job to mitigate the inherent lack of control and oversight that comes with third-party relationships. Handling communication from the start is the first and most important step to addressing both those concerns. Whatever you're building, however you need to keep it secure, make sure the cross talk is rich, clear and transparent — considering the alternative, it's worth every bit of effort you put in to do it right from the onset.
Photo Source: StockSnap