Is Your Service Provider Managing Your Security Risk Think Again
Steve leads the Internal Audit team for GSK, covering Information Security and Data Privacy. He is accountable for providing assurance to the board that security risks are being adequately managed. Steve has worked in IT for over thirty years. His background is in software engineering, and for the last sixteen years he has worked in Security &Risk Management within GSK.
Businesses are increasingly data driven, and reliant on highly available digital services. Such services must be resilient to a plethora of threats, such as ransomware and theft of intellectual property by an insider. This requires a comprehensive control environment, covering everything from secure hosting to incident response. The resources and capabilities required to achieve this are beyond what many organisations can afford. This is where Cloud Service Providers (CSP) and Managed Security Service Providers (MSSP) step in. These service providers make a high level of capability available through consumption-based pricing. Thus, small enterprises can access best-in-class security, whilst large organisations can worry less about building the necessary skill-base to go it alone.
Employing third party services is a cost-effective way of accessing specialist resources and capabilities. However, business risks cannot be outsourced. If consumer data is leaked due to failures of the third-party data processor, it will be the client organisation who will suffer reputational damage and legal liability. Outsourcing security will rarely change this inherent risk impact, but it should reduce the likelihood of a business crippling data breach. This benefit will only be achieved through a clear understanding of the shared responsibilities between Client and Provider.
Security processes, when viewed end-to-end, often reveal complex workflows involving multiple people with different responsibilities. Take vulnerability management for example. A MSSP may perform scanning and analysis, while in-house technology teams would do the remediation (i.e. patching or changing configuration settings). Additional responsibilities relating to exception management and compliance reporting should also be factored in. The result is an end-to-end process that spans multiple teams and organisations. This also leads to the risk of unclear accountabilities.
“Outsourcing security will rarely change this inherent risk impact, but it should reduce the likelihood of a business crippling data breach”
Establishing a shared responsibility model, which defines roles, responsibilities and dependencies is an essential foundation for ensuring value from third party services. This is especially important with Cloud Services. CSP's are very good at security. However, the provisioning of cloud resources comes with the responsibility of self-service security configurations, covering access controls, firewall rules, encryption, threat detection, patching frequency, etc. Nowadays, most cloud breaches are the customer's fault, and could have been prevented if available safeguards were enabled. Sadly, many of these breaches were due to basic control failures, such as weak access controls. The root cause may be poor threat awareness, lack of training or unclear data protection responsibilities.
MSSP's monitor, detect, investigate and respond to threats 24X7. Such services are essential in today's threat environment but introduce another cost to the business. Optimising spend on security services requires a trusting partnership. The client is responsible for identifying their most critical digital assets (crown jewels), whilst the MSSP is best placed to identify the most likely threats to those assets. This should lead to prioritised security requirements, which help ensure the most critical data is protected against the most likely threats.
An increasing cost of digital services can be attributed to security. This is money which might be spent on other business priorities, such as product innovation. Therefore, organizations have to define their risk appetite, which ensures security investments deliver the right level of risk reduction, and do not attempt to eliminate risk altogether.
It is the role of Internal Audit to provide assurance to Senior Management that Enterprise Risks are managed in accordance with the risk appetite of the organisation. As the cyber security risk has become more threatening to businesses, audit functions have evolved their capabilities to ensure in-depth coverage of this control environment.
When it comes to Third Party risk, Audit functions have historically had a strong focus on ensuring third parties have adequate security practices, evidenced by independent assessments and certifications. Whilst this is still important, it provides limited assurance, and could even give a false impression that security risk is within tolerance. Internal Audit increasingly are increasingly focusing on client responsibilities, because this is more likely to be the source of control weaknesses. Control Objectives, for each IT process involving third parties may include:
● A shared responsibilities agreement has been defined and is it being followed
● Our staff have the necessary skills to fulfil their responsibilities
● We have agreed our security requirements with the service provider, and these are aligned to our business risks
● We have classified our organisational data (including what is being collected by the service provider), and specified retention and deletion requirements
● Service performance metrics monitored, and can these be used to inform Key Risk Indicators
In summary, CSP's and MSSP's provide capabilities beyond which most organisations can achieve on their own. The business value is risk reduction, achieved through lower likelihood of cyber-attack and improved data breach detection. Critical to success is commonly understood shared responsibility agreement. Senior Management require assurance that their investment in security is delivering the necessary risk reduction, and it is the role of Internal Audit to provide that assurance. Increasingly, Internal Audit focus on client responsibilities as this is often the source of control weakness.