Archive for the ‘Vendor Risk Management’ Category

The memo from your largest customer you dread receiving

October 21, 2015 Leave a comment

Did you get that memo yet?

There comes a time in every business leader’s life when he or she receives a sternly worded memo from a large customer who requires that all “third-parties” adhere to security standards as rigorous as their own. Other times it is an external auditor or federal regulator who rings the bell. Sadly, sometimes it comes as a “reality check” after a major internal security breach.

However it comes, that day is met with consternation. badnews-300x299
“Do I hire more IT staff?”
“Do I fire and replace the ones I have?”
“Do I call a big consulting firm?”
“Do I hire a lawyer?”
“Do I fall on the sword?”

Security is one of those nagging concerns every business leader wishes would “just go away.” Unfortunately, the only certain way to make security less of a concern, is to infuse it into every aspect of the business. Like quality control, security is an idea, a concept, which works best when woven into every key production environment.

Two opposing forces have to be addressed before the problem is solved and security really works.

There are too few skilled security professionals to hire;
And advanced threats and critical risks are growing each day.

Of course companies need expertise and technology, but only the most well-heeled can afford to manage all the threats internally. Hiring experts then, either for short term triage, or for longer term oversight and monitoring, is one technique companies have been using for years to overcome the time and talent shortfall.

As I discussed this with business leaders recently, the overwhelming feeling in the room was that someone needs to speak the language of compliance. Someone in the organization—or one of these outside experts–needs to translate the security efforts the company is making into language that will satisfy the auditor and big customer.

Some experts put the technology in place. Others handle the compliance communications. When a business has both, it can confidently reply to customers and auditors, “We have security built into our company culture and into our systems.”