Outsourcers, managed service providers and cloud providers have increasingly been a part of a CISO’s portfolio for delivering service to the enterprise for years but procurement officers still don’t know how to deal with third parties, says an expert.
The answer, John Proctor, vice president of global cyber security at Montreal-based systems integrator CGI, is to educate them.
“We have procurement departments that are designed around box procurement rather than app procurement,” he told attendees this week at the RiskSec Toronto conference. “When you as security folks say to them ‘I want to get an outcome,’ they don’t know how to do that.”
There’s no such thing as “agile procurement,” he argued – especially in government, where the buying cycle can take 18 months. “We’ve got to procure at the speed of cyber,” he said.
And while the lack of knowledge of how to buy services creates risk, he told the group, it’s also a challenge for the security team to educate the purchasing team.
One way, he said, is to pull procurement officers – even if they are “kicking and screaming” – to cyber security conferences so they understand the problems and solutions available.
Communications – being able to explain the security team’s need – is vital. Too often, Proctor said, there’s confusion like this: When drafting requests for proposals (RFPs) an InfoSec leader tells the procurement team, ‘This is what I want.’ The procurement team says to the industry, ‘This i what i think they want,’ and the suppliers reply, ‘This is what I think I understand what you want.’ And then after the supplier is chosen both sides get together and discover what is really wanted.
“When you start working with third parties the most important part is that conversation [on what is wanted] so we understand and we can look at each other in the eye and say ‘I get it,’”
“I had a good conversation with a CIO in Germany who said, ‘If you give me what I asked for I’ll fire you. You need to give me what I should have asked for,’” Proctor recalled. What the CIO meant was a good third party should tell a customer if what he has in solutions is right.
Mature third parties, Proctor added, are willing to say ‘We’ll need another partner to do that,’ and then figure out how that extra party will be managed.
“Anyone who says, ‘Don’t worry we can do everything without anybody else’s help’ across the whole spectrum is smoking B.C.’s best product.”
Service level agreements (SLAs) and key performance indicators (KPIs) are essential in any third-party agreement, he said, with a level of granularity the security team is comfortable with. For example, if buying a security information and event management (SIEM) as a service (SaaS) find out how many use cases get updated each year?
The contract could also specify if need more use cases are needed (for unexpected events like an acquisition) this what it will cost, and how much time it will take to add.
The contract might also say every six months the third party tells the executive committee what new projects its working on somewhere else the board might be interested in. That, Proctor said, could give insight into new technology or industry trends.
Also, include third parties when doing corporate incident response tests. You’ve got to know how and who to get hold of in an emergency. A good partner wants to know the customer’s response plan.
Finally, when looking for a third-party provider Proctor suggested the lowest price isn’t only what counts. Think in terms of signing a partner that’s going to be with you on a journey. “You’ve got to be able to trust,” he said, “because if you’re part of the choosing process this is your reputation as well.”