Several years ago I worked for a startup That sold software-as-a-service. Part of my role was to help the sales teams navigate the vendor assessment processes that prospective buyers had. I learned a few things about vendor assessment processes and questionnaires being on the receiving end of them multiple times a week.
I’ve written before about externalities. When an organizations actions cause harm to others. The recent SolarWinds breach has got me thinking about when someone causes harm to others via a third party. Are you the route into your customer’s organization?
In Microsoft’s analysis of the SUNBURST/Solarigate embedded in SolarWind’s Orion they estimate it contains 4,000 lines of code. What did that cost to build? What does that tell us about the threat actors?
You’re likely not a target of the SolarWinds breach but you still need to secure your digital supply chain.
We all take risks; but do we consider how those risks impact others? Should we include the cost to others when we make risk based decisions not to address certain information security issues?
Every individual, company and society is willing to take risk. In everything we do there is risk, we use risk as leverage (in the financial sense) to achieve some benefit at lower cost. Figuring out where that bright red line of too much risk is not easy. Figuring out where you are relative to that position requires effort.
How many risk statements do you need to describe the information security risks to Management? Probably just one.
If your support staff need backdoors into customer accounts to provide support, then you need to safeguard that access beyond authentication and trusting staff alone.
Are you asking your vendors about the capabilities of their internal support tools?