The Crucial Role of Third-Party Security in Digital Transformation

Luke Raines, IInformation Security and Technology Governance, Risk, and Compliance Manager, Challenger Limited

Digital transformation is synonymous with the use of third parties, and the need for robust security measures across an increasingly interconnected estate is crucial. While partnerships with cloud, software, and external service providers offer numerous advantages, they also introduce potential vulnerabilities. This calls for organizations considering digital transformation to recognize their security posture extends beyond traditional network boundaries. We’ll explore key practices in gaining assurance over the security of third parties for digital transformation projects.

A Risk Based Security and Resilience Evaluation

Consider the importance of the information, or services, being handled by the vendors as part of your digital transformation project. Ask yourself what protections you have in place today for those information or services, and seek to understand if the vendors can at least match them. It may call for some compromise over the design of controls, but exercise caution if it means growth in risk. Get assurance where it matters. While they may have scalable cloud capabilities, it may be continuity and recovery where your focus lands. Match controls to threat scenarios. Consider the risk you’re willing to accept.

Cloud Shifts Responsibilities

The use of cloud service providers (CSPs) is a common element of digital transformation. While this changes the dynamic of security responsibilities, it never removes it. Software as a Service (SaaS) will have the customer responsible for Identity and Access Management, data classification, and some application security configuration. Platform as a Service (PaaS) also requires the customer consider penetration testing and software development security. Infrastructure as a Service (IaaS) provides the most freedom, such as resources to deploy operating systems and software, and customers may be responsible for its patching, network security, and even host infrastructure security, in addition to software, access, and data security. All of this comes with cost, necessitates expertise, and shifts risk.

Contractual Obligations and Accountability

Establishing clear contractual obligations, that match your regulatory obligations, is another critical aspect when dealing with third parties. Contracts should explicitly outline security expectations, data retention, sharing, include breach notification requirements, define roles and responsibilities, and specify which party is responsible for different security measures. Consider incorporating clauses that mandate vulnerability assessments, penetration testing, and periodic security audits to provide assurance over the design and operating effectiveness of their controls, and consider the right to audit. To ensure accountability, consider the inclusion of recovery of loss in the event of a security incident. Regularly review and update contracts to align with evolving security standards and industry best practices

By investing in third-party security, organisations can identify weaknesses, mitigate risks, and partner in success

Ensure Regulatory Compliance

Digital transformation may seek to outsource aspects of technology capabilities, but businesses cannot entirely delegate regulatory responsibility. They must ensure vendors adhere to equivalent standards to meet regulation, or face the potential for legal consequences, hefty fines, or reputational damage. Governments in the Asia Pacific region have enacted stringent data protection laws and regulations, with Australia leading the charge. 2019 was defined by the commencement of the Australian Prudential Regulatory Authority’s Standard, CPS 234, for Information Security. 2022 was marked by compelling amendments to Australia’s Security of Critical Infrastructure Act. Set the expectation that third parties support required compliance to frameworks, as regulatory bodies will expect this of you.

Ongoing Monitoring and Risk Assessment

It is essential to establish an ongoing monitoring program, which includes adherence to agreed-upon security controls, compliance with regulations, and periodic reassessments to evaluate changes in the vendor's security posture, or changes in the external environment that shift risk. These assessments should also take into consideration recent attacks and incidents within the industry. Have regular service level agreement discussions, and it may be suitable to drill down into the design of specific security controls that provide concern during these meetings.

Incident Response Planning and Testing

Preparing for the worst, and hoping for the best, is the common school of thought when considering security incident response. This necessitates collaboration with vendors to develop a joint response plan that offers utility and flexibility. Plans should outline roles, responsibilities, and communication channels during an incident. Regularly test and update the plans to ensure their effectiveness. Conduct joint incident response drills to assess coordination, and incorporate lessons learned. By proactively planning and testing, it can minimize the impact of security incidents and expedite recovery efforts.

Don’t Forget Fourth Parties

Performing due diligence also involves understanding fourth parties. Discover if the data is being shared with them, or if the services considered depend on their resilience. Remember, the strength of the third-party security chain is only as strong as its weakest link. Look for vendors aligned to established security frameworks, holding certifications, and that take a proactive approach to IT risk management.

Conclusion

Digital transformation calls for organisations to recognise their security posture extends beyond internal systems. Thirdparty security plays a crucial role in protecting data, ensuring regulatory compliance, and enhancing overall business resilience. By investing in third-party security, organisations can identify weaknesses, mitigate risks, and partner in success. Remember, proactive security measures will not only protect your organisation but also enhance customer trust and reinforce your reputation in the market.