This is the first post in what will be a multi-part series that examines the question of how much rigour should be applied while ensuring a vendor’s security posture is adequate.

I recently saw a post on LinkedIn where someone asked how much effort they should put into checking on their vendors’ cyber security programmes. Concerns about “supply chain security” are not new, but recent events have created new urgency around addressing vendor security challenges. So, how much security is enough? Well, it depends…

Note: Everything I write is informational only, not professional advice. I offer only my personal opinions, experience, and research. Nothing I write represents the views of or has anything to do with any of my past or current employers or affiliates. You might also want to understand some of the personal biases that influence my thinking on this subject.

The vendors in our lives

I don’t know about you, but when I’m shopping for electronics I don’t put much thought into which brand of television is less likely to track what I watch. It doesn’t even cross my mind that my Citroën minivan might be recording audio and sending it to the French government. I certainly never think about who might have untraceable, electronic master keys to my hotel room when I’m travelling.

Yeah, okay, it’s probably obvious that I actually do think about those things, but a little bit of heightened awareness about the ways technology could be misused is an occupational hazard in cyber security work. On a personal level, I’m actually a fairly trusting person, but I try to make sure I am at least a little bit aware of what risks I take when I entrust my personal data to third parties.

Most individuals only need to protect a small amount of data of relatively low value, so trusting the background protections inherent in living in modern society often are (marginally) enough. In contrast, when companies handle personal details, intellectual property, financial data, or other types of sensitive information, they tend to do so in bulk. Even if the amount is small, the value often is high - why else would they bother with it? Companies that handle valuable data need to be acutely aware of the risks that third party products and services bring with them. If they aren’t, they could be putting their customers and themselves in serious danger of data breach, manipulation, or lost access.

Examples of vendor security failures

The last decade has given us quite a few examples of how bad it can be when a vendor’s approach to security is inadequate either for the data they handle or for the access they have. Looked at another way, those same examples show how important it is for companies to be discerning when selecting vendors. They also should be methodical about making sure both sides have adequate protections in place.

I will never forget the stomach cramps that gripped me when the news broke that the people who stole ridiculous amounts of data from Target in December 2013 gained entry through an HVAC vendor’s network access. At the time, I was responsible for protecting Dell from exactly that kind of attack, so I put a lot of effort into finding out as much as I could about what happened. The Target breach was one of the first major breaches where details were made public, and it was a gold mine for vendor security managers like me. I’m sure it was less exciting for the 110 million people whose data were stolen, not to mention the CIO and CEO, both of whom lost their jobs.

Target executives certainly weren’t the only casualties of a vendor-related breach. Equifax lost their CEO, CIO, and CSO following a 2017 breach that affected around 147 million people’s personal and financial information. In that event, attackers discovered that Equifax had neglected to patch a bad vulnerability in a third-party component built into one of their main websites. The software in question, Apache Struts, is an open source framework maintained primarily by volunteers. Even though workarounds and patches were issued quickly, Equifax still had not taken action months later when attackers started stealing data.

It might feel funny to lump open source software libraries (or even software libraries in general) into the “vendor security” category. Later in this series, I hope to demonstrate that the vendor security management process works the same for all embedded, third-party components whether they are hardware or software, open- or closed-source.

Any list of vendor security failures would be woefully inadequate without mentioning the still-ongoing investigation into breaches related to a backdoor inserted into SolarWinds’ enterprise management software which was then deployed into a staggering 18,000 government and private sector customer networks.

Trust, verify, and plan for failure

I deliberately avoided getting into details in those examples of vendor-related breaches because I want to make the point that vendor security is important without getting your adrenaline pumping. Managing risk related to vendors requires deliberate and thoughtful planning as well as long-term, consistent pressure on vendors to reduce risk over time.

That sounds like the opposite of Facebook’s famous “move fast and break things” approach, doesn’t it? Maybe so, but with a little bit of preparation and a clear risk evaluation process, solid vendor security management practices still can be implemented in companies that drive rapid change. Just remember that security, quality, risk, speed, scope, and cost all need to balance out in the end.

Want to know the dirty little secret to vendor security? It’s really not much different from managing internal security! The key element is to understand what is at stake and how much you are willing to do to protect it. From there, you can decide how much you are willing to trust your vendors, how much you want to verify that they are doing the right thing, and what protections you want to put in place in case things go wrong.

As we explore various approaches to managing vendor security in this series, I hope you and I both gain a better understanding of how we all can do better.