Month: November 2017

When it comes to evaluating new vendors, it can be challenging to know how best to communicate the requirements of your vendor assessment process and ultimately select the right partner to help your business move forward — while at the same time avoiding the risk of a third-party security incident. After all, 63 percent of data breaches are linked to third parties in some way. In fact, we all recently learned about how an Equifax vendor was serving up malicious code on their website in a newly discovered security incident.

The Whistic team has done thorough research on what a good vendor assessment process looks like and how to keep your organization safe from third party security threats. In the following article, we’ll outline a few of these best practices that your organization can follow in order to improve your chances of a successful vendor review. Of course, there will still be situations that you must address in which a vendor is either not prepared to respond to your request or isn’t willing to comply with your process. However, we’ll share some tips for how to best respond to these situations, too.

But before we get started, keep these three keys in mind:

1. Time your assessments: The timing of the assessment will be the single greatest leverage you have in getting a vendor to respond. Keep in mind that aligning your review with a new purchase or contract renewal is key.
2. Alert the vendor ASAP: The sooner a vendor is aware of a review the better. Plan ahead and engage early and get executive buy-in from your team to hold vendors accountable to your policy. If your business units understand that you have a policy requirement to review every new vendor, they can help set expectations during the procurement process and eliminate last-minute reviews.
3. Don’t overwhelm your vendors: Unnecessary questions or requests for irrelevant documentation can slow the process down significantly. Be sure to revisit your questionnaire periodically and identify new ways to customize questions based on vendor feedback. You may find that after conducting several security reviews that there may be ways to improve the experience for both parties.

Personalize the Communication
At Whistic, we’ve had a front row seat to the security review processes of companies all across the world and a wide range of use cases. We’ve seen firsthand how much of a difference personalized communication can make in creating a more seamless process for all involved, especially third party vendors who are or hope to be trusted partners to your business.

With this in mind, we strongly recommend sending a personalized email to each vendor when initiating a new questionnaire request to supplement the email communication that they will receive from any software you utilize. This can help alleviate concerns the vendor may have about the assessment process and should help to improve turnaround times on completed questionnaires. Even with the automated communication support from a third party security platform, the best motivator for your vendor to complete your request may be a friendly reminder from you or the buyer that the sales process is on hold until they complete the assessment.

Deliver Expectations Early
Assuming that your vendor already understands that you are going to need to complete a security review on them, the best time to help them understand your expectations is either right before or right after you initiate a request via your third party security platform.

When doing so, keep the following in mind as you have a phone call or draft an email to your vendor to introduce the vendor assessment request:

• Set The Stage: Let your vendor know about the third party security platform that your organization uses and that it is required method for completing your security review process.
• Give Clear Direction: Specify a clear deadline and any specific instructions for completing the entire security review — not just the questionnaire.
• Provide Resources: Provide information for the best point of contact who can answer questions they may have throughout the process. It’s also a good idea to let them know that your third party security platform may reach out if they aren’t making progress on their vendor assessment.

Utilize an Email Template
Whether you use a customized template created by your team or a predefined template (such as the one Whistic provides to its customers), it’s worth spending a few minutes upfront to standardize the communication process. This will save you time in the long-run and allow you to deliver a consistent message to each of your vendors.

Respond to Vendor Concerns
It isn’t uncommon for vendors, particularly account executives, to try and deflect a security review as they know it has the potential to delay the sales/renewal process. They may also have questions about sharing information through a third party security platform as opposed to emailing that information to you. We know from experience how frustrating this can be for all involved, so below are a two tips for handling pushback:

• Preparation: If you are getting repeated pushback from vendors, review the “Keys to Success” outlined at the beginning of this article and explore additional ways to adopt those best practices.
• Complexity, Relevance, and Length: These items can be among the reasons why vendors complain about your security review process. Consider periodically revisiting your questionnaire and consider adding additional filter logic to limit the number of questions asked of each vendor or make the question sets more relevant to vendor that is responding.

These are just a few things to consider as you look to assess your next cloud vendor. What else have you found helpful as you have approached this responsibility at your company?

Nick Sorensen, President & COO, Whistic

[Cloud Security Alliance Blog]

Edinburgh, Scotland – November 21, 2017 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, today released the CSA Code of Conduct for GDPR Compliance, which provides cloud service providers (CSPs), cloud customers, and potential customers with much-needed guidance in order to comply with the new obligations stemming from the European General Data Protection Regulation (GDPR). As part of this release, the CSA has also launched the CSA GDPR Resource Center, a new, community-driven website with tools and resources to help educate cloud service providers and enterprises on the new European data protection regulation.

“Companies worldwide are struggling to keep pace with shifting regulations affecting personal data protection. The Privacy Level Agreement (PLA) Working Group realized it was critical for cloud providers to have guidance that would enable them to achieve compliance with EU personal data protection legislation,” said Francoise Gilbert, CSA Lead Outside Counsel and PLA Working Group co-chair.

“With the introduction of GDPR, data protection compliance becomes increasingly risk-based. Data controllers and processors are accountable for determining and implementing within their organizations appropriate protection levels for the personal data they process,” noted Paolo Balboni, European ICT, privacy and data protection lawyer, and co-chair of the Privacy Level Agreement Working Group. “In this scenario, the CSA Code of Conduct for GDPR Compliance is of fundamental importance as it gives guidance for legal compliance and the necessary transparency on the level of data protection offered by the CSPs.”

The CSA Code of Conduct for GDPR Compliance is designed to meet both actual, mandatory EU legal personal data protection requirements (i.e., Directive 95/46/EC and its implementations in the EU member states) and the forthcoming requirements of the GDPR.

• Fair and transparent processing of personal data;
• Information provided to the public and to data subjects (as defined in Article 4 (1) GDPR);
• Exercise of data subjects’ rights;
• Measures and procedures referred to in Articles 24 and 25 GDPR and the measures to ensure security of processing referred to in Article 32 GDPR;
• Notification of personal data breaches to supervisory authorities (as defined in Article 4 (21) GDPR) and the communication of such personal data breaches to data subjects; and
• Transfer of personal data to third countries.

Additionally, the CSA Code of Conduct for GDPR Compliance contains mechanisms that enable the body referred to in Article 41 (1) GDPR to carry out mandatory compliance monitoring by the controllers or processors who undertake to apply it, without prejudice to the tasks and powers of competent supervisory authorities pursuant to Article 55 or 56 of GDPR.

“The CSA Code of Conduct for GDPR Compliance offers cloud customers a tool to evaluate the level of personal data protection offered by different CSPs and make informed decisions on how they will secure that data,” said Daniele Catteddu, Chief Technology Officer, CSA. “We are extremely proud of the work that went into this latest iteration.”

The CSA PLA Working Group was formed in 2012 to help transpose the Art. 29 WP and EU National Data Protection Regulators’ recommendations on cloud computing into an easy-to-use outline for CSPs to follow when disclosing personal data-handling practices. The scope and objective of the PLA initiative was previously presented to the European Parliament as part of discussions on the potential effect of the proposed General Data Protection Regulation on cloud computing. Since then, the PLA Working Group has been engaged in defining a structured method for communicating the level of privacy that a CSP agrees to maintain.

The PLA Working Group is comprised of independent privacy and data protection subject matter experts, privacy officers, and representatives from data protection authorities.

The CSA Code of Conduct for GDPR Compliance is free and available at: https://gdpr.cloudsecurityalliance.org/resource/csa-code-of-conduct-for-gdpr-compliance/.

For access to the CSA GDPR Resource Center, visit https://gdpr.cloudsecurityalliance.org/

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security- specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem.

Media Contact

Kari Walker for the CSA
ZAG Communications
703.928.9996
kari@zagcommunications.com

[Cloud Security Alliance Research Center]

SEATTLE, WA – November 20, 2017 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, today released a new report titled Cloud Security for Startups. The new white paper, developed by the CSA’s Israel chapter, aims to help Software-as-a-Service Startups (SaaS-SUs) gain and maintain customer trust by building solid security foundations at an early stage of the product development process. In establishing security controls to match risks at any point in time, SaaS-SUs can successfully align those controls with product development and investment rounds.

“Information security is a complicated subject even for mature enterprises, so it’s no wonder that startups find the area so daunting,” said John Yeoh, Research Director at CSA. “In today’s risk environment, young startups find themselves challenged on how to best align security with current and future business growth. In creating this paper, we hope that startups, regardless of industry or geography, will find it a valuable tool in understanding, addressing and applying trusted and best practices for creating a secure computing environment.”

Planning, implementing and maintaining good security is not only necessary, but can serve as an important advantage that can be leveraged as a marketing differentiator. Poor practices may result in dire consequences, ranging from longer sales cycles to the inability to raise additional funding. The guidelines provided in Cloud Security for Startups have been specifically created to help cloud-based startups develop public Infrastructure/Platform-as-a-Service (IaaS/PaaS) to understand their security roadmap.

Specifically, the report elaborates on the three phases in a startup’s lifecycle, from inception to growth, and then to maturity, and suggests controls relevant to SaaS-SUs based on their current phase of development. Written to help company founders, CTOs, product managers and architects, the report divides controls into three domains: application security, platform security and security management. Additionally, the report addresses best practices and tips for choosing cloud platforms.

CSA will hold a webinar on Thursday, November 23 at 2:00 pm CEST to provide insights and explanations and to answer questions surrounding the new whitepaper. To register for the webinar, visit https://www.brighttalk.com/webcast/10415/284775.

The Cloud Security for Startups white paper is a free resource from the CSA.

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security- specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem.

Media Contact

Kari Walker for the CSA
ZAG Communications
703.928.9996
kari@zagcommunications.com

[Cloud Security Alliance Research News]

Cyber risks have taken center stage in the corporate world. It is estimated that more than 80 percent of organizations have now included cyber risk as one of the top five risks in their risk register. Cyber security has become a key concern for boards and executive leadership.

Recent surveys and research suggest that although visibility at the board level has increased, requisite organizational structures (to support cyber risk mitigation) are still lagging. I believe that is a result of a combination of factors:

1. Cyber security as a domain, being new, has no specific standard format to follow in terms of implementing structures and allocating responsibilities.
2. There is an inherent shortage of resources and the problem is more exacerbated at senior levels.
3. Depth of cyber security knowledge is lacking at the board level.

The apparent disconnect and gap in trust needs to be closed if the cyber threat is to be tackled effectively. Organizations must realize that, in order to have a mature cyber security posture, they need transformational leadership in their cyber security area.

An executive/manager in charge of cyber security in an organization has the unenviable task of influencing the board and the executive leadership group, as well as impacting the security culture across the organization. The cyber security leader does not necessarily need in-depth technical skills, but certainly needs dynamic leadership skills.

What are the skills required for cyber leadership?
If you are a board member/executive manager looking to hire a security manager or you are a security manager looking to rise to the challenge, in addition to technical understanding of security, I recommend focusing on getting/developing the following skills:

• Great communicator and story teller: Only a great communicator can influence effectively at the board and executive level, as well as impact end users from various business units with varied amounts of technical knowledge.
• High emotional intelligence: A highly developed emotional intelligence (EI) is needed to foster enduring internal relationships with peers, business unit leaders and technical staff. EI is a critical trait as it will influence collaboration, teamwork, crisis management and more.
• Big-picture thinking (being able to see the forest through the trees): A security manager usually comes from a technical background, and technical engineers are very good at focusing on the minutiae which is necessary to solve technical problems. Security, on the other hand, is very much connected with being able to see the bigger picture and the context. Security leaders need to have big-picture thinking to be successful.
• Business acumen: A security leader has a very important part to play in business planning, strategic planning, and ensuring that security and risk management are built into all business processes. Most importantly, the person needs to be able to frame security challenges into business opportunities. Ultimately, security leader need to balance dollars with risk.
• Ability to lead cultural change: Organizational culture sets the tone, the framework and the operational context for security to operate. Implementing a mature security posture has a lot to do with successfully leading culture change in an organization. Ultimately, security leader must create a positive security culture.
• Personal integrity: For the security leader, the foundation of success is built on how he/she can engender trust of various parts of the organization in the security processes and security programs being put in place. Trust starts with the security leader, and hence he/she must exhibit the greatest of personal integrity.
• Execution/ability to get things done: Security leaders must be results-oriented. At the end of the day, soft skills are all good, but the security manager must have the ability to execute and complete tasks and projects successfully. Security leader must find ways to say “yes” to internal stakeholders and make security an enabler and not a roadblock.
• Be a team-builder: Good leaders build good teams. The security leader needs to be a “servant leader” and build a team of specialists with multi-dimensional skillsets, attracting the best talent to the organization. Successful security programs need people with the right mix of talent, technical skills and interpersonal skills working as a cohesive unit.

Editor’s note: Ashutosh Kapse will be presenting on “Culture & Leadership – Key to Cybersecurity” at ISACA’s 2017 Asia Pacific CACS conference, to take place 29-30 November in Dubai.

Ashutosh Kapse, Head of Cybersecurity, IOOF Holdings Australia

[ISACA Now Blog]