Third-Party Security: A Key to Comprehensive Organizational Protection

The number of cyberattacks targeting supply chains is on the rise. On the one hand, supply chains have become an increasingly attractive attack vector for disrupting critical infrastructure and industrial sectors. On the other hand, large companies often have mature cybersecurity strategies that make it harder to exploit vulnerabilities directly. However, they interact with minor services, products, or technology providers, with whom they interconnect systems, exchange data, or even share physical workspaces. This opens opportunities for attackers to use these third parties as a shortcut to their primary targets. In this context, the concept of 'third-party security' becomes increasingly relevant: managing risks associated with suppliers, partners, and any external entity with access to an organization's critical systems, data, or resources.

Determinate by Contract

Organizations must clearly define what to request from third parties regarding security, depending on the shared data type. For example, if third parties need access to personal information about employees or customers, the organization must ensure compliance with local data protection regulations.

In this context, contractual agreements establish the foundation that the purchasing company needs to protect its information and business while defining the responsibilities and expectations of both parties.

Additionally, contracts help improve the management of vendor relationships and ensure that an adequate level of information security is maintained over time. This is verified through regular third-party audits. Regularly reviewing and updating contracts is essential to managing new risks and complying with regulatory changes.

Cloud Services Outsourcing

When contracting cloud services, it's crucial to specify the information to be migrated and the security controls to protect it.

Software as a Service (SaaS): The provider assumes most security responsibility, such as the underlying infrastructure and applications. However, organizations must assess whether the default controls offered by the cloud provider are adequate. Additional controls or a change in your contract strategy should be considered if they are ineffective.

Platform as a Service (PaaS): The provider manages the infrastructure and platform, while the organization is responsible for the security of the applications it develops and deploys.

Infrastructure as a Service (IaaS): Security responsibilities are shared. The provider handles the physical security of data centers and the underlying infrastructure, while the organization must guarantee the protection of its workloads, applications, and data.

The Role of the CISO

In the context of third-party security, the Chief Information Security Officer (CISO) is responsible for establishing the appropriate security controls based on the sensitivity of the information accessible to suppliers or partners. It is essential to consider the entire lifecycle of third-party engagement, from the evaluation of their contracting to the closure of agreements, the disposal of data, and the execution of services.

Other areas of the organization also play significant roles. The Procurement Department ensures compliance with security controls before approving a service provider's offer. Business Units must include security requirements when drafting requests for proposals or service agreements. Specific Departments, such as Legal, ensure contract clauses align with the required security controls.

In an increasingly interconnected and digital world, third-party security has emerged as a cornerstone for achieving comprehensive, end-to-end protection of the entire supply chain.