With digital transformation making the headline in different industries all over the world, organisations are becoming exposed to certain related IT risks. Digital strategy includes moving towards new technologies and adapting to change and it is, therefore, closely linked to a number of other strategies of an organisation. An aspect of the digital strategy that is often neglected or treated as an after-thought is the vendor / third-party selection for a fruitful business partner journey. Considering IT vendors as anything less than business partners is risky in today’s world. Such an overlooked risk of digital transformation can eventually expose a company to a variety of other business risks.
Many a time, digital infrastructure and product vendors are considered to be just another cost to the business. In reality, they should be treated as a critical business partners. This is especially relevant in a rapidly-changing economy where the skills required to grow and adapt are changing every day. As processes and business needs have evolved and disruptive technologies such as Artificial Intelligence (Robotics Process Automation (RPA), Machine Learning etc.), Cloud and Virtual Reality have become an integral need for survival in the future, waiting to adapt is no longer possible.
The time-to-market is becoming shorter for everyone but resources are still limited. To meet the evolving needs of a business, it is no longer possible to rely on internal human resources who, while managing the operations, cannot find much time for training for a specific technology. Even if they could, companies simply cannot afford to be exclusively tied down to known technologies. There may eventually be new technologies and products that could lead to a change in the organisation’s direction. In addition, holding on to an employee, specially an upskilled resource, is a challenge in today’s world since the demand for such talent is quite high. All this leads to a significant risk that an organisation would not be able to keep up with the changing needs and ultimately the entire digital transformation journey would be sabotaged.
Vendors can provide an organisation with the required resources either by training existing staff or sending in their own experts of the subject technology. Vendors always have skilled and experienced resources. Where a company can rely only on internal resources, a vendor can provide a legion of different levels of resources with a variety of expertise and experience. The services of these resources are governed by a Service Level Agreement (SLA) in order to ensure that there are no disruptions to the business etc. Vendors of such services and products cannot be treated as mere third parties any longer.
On the downside, as businesses rely more and more on outsourced and hybrid (internal and external) service models, more IT security risks also arise, such as an IT supply chain attack. An attack can originate from a compromised vendor landscape where the attacker leverages trusted vendor IT environment to penetrate into client’s IT environment with malicious intent. They can compromise and take hostage for ransom(ware) as many clients of the trusted vendor as they want. This aspect of data security is often overlooked by business IT or legal functions since they do not have the necessary technical IT security expertise. Another risk is misunderstanding or a breakdown of communication in terms of the SLA, resulting in business needs not being met as well as they should have been addressed.
Organisations should implement best IT security practices such as ISO27000 or NIST guidelines where securing supply chain access is part of the recommendation. Few common points to consider are:
- Segregate IT systems which are accessed by vendor by using different networks, such as a network dedicated to solution’s development and / or testing only
- Provide only on-demand and need basis access to system or network in the case of live Production environment of an IT product.
- Conduct due diligence study of potential as well as existing vendors, such as assessing their IT security controls, governance & audit status.
- Include legal clauses for vendor to protect the client’s operations from any supply chain attack, and define the modalities of communication and resolution in case of such an attack.
- Demand the right to conduct audit by an auditor selected by the client, and /or the right to review audit reports.
Vendor business partner relationship cannot be ignored since digitalisation of processes and surviving in a digital world would be next to impossible without them. Therefore, they should be cautiously but fully integrated as partner to manage threats to the IT environment, such as data security and integrity.
About the Author:
Syed Murtuza is a seasoned IT professional with a passion to create secure and resilient environments that enable achieving strategic goals, effective decision making and improving stakeholder transparency of IT controls. He specialises in security, audit & operations, and also has experience in IT management and governance, IT controls and frameworks, process improvements, IT risk management and cyber security, project management and quality management.