Puneet Kukreja, senior security advisor of National Australia Bank, led security and risk professionals from financial services, automotive, and energy sectors in a roundtable discussion about supply chain security as part of the Peer-to-Peer session at RSA Conference 2015 in San Francisco. Below is Kukreja’s notes from the session. 

Approximately 30 attendees were present for the roundtable discussion Third Party Supplier Governance—Secure the Supply Chain. They were primarily from Financial Services, Government Agencies, Automotive and Energy Sectors.

The discussion revolved around how enterprises ensure their data is kept safe across the supply chain and what control models various organizations had implemented to ensure third-party data security. One main theme that emerged from the discussion was Third Party Governance for information security is immature. Third Party Governance for information security is an emerging area and not as mature as it ought to be. 

• Organizations typically do not have a comprehensive model to assess how their third-party suppliers have implemented security controls.
• The rise of cloud services consumption is further eroding the ability to conduct assessments and the organizations’ reporting comfort for implementation and effectiveness of security controls at vendors.
• Information Security is generally not the top of mind when organizations are negotiating outsourcing arrangements. 

Even so, it is an area that will grow in importance as organizations adopt cloud services and embark on digital transformation programs utilizing industry partners.

On the flip side, there were a few participants who were militant in their approach and implementation of information security discipline within their organizations. For the most part, that was primarily due to the heavy regulatory focus or because of the organizations’ previous experiences business disruptions as a result of information security incidents.

In some cases, Third Party Governance has to be a formal process and has to be treated as distinct from audit and assurance activities. There are defined controls and assurance parameters via agreements between contracting parties defining their obligations. The requirement of defined controls is to provide adequate security during the lifecycle of transactions, in line with the risk appetite of engaging organizations.

Third party governance is about understanding the data supply chain so all contracting parties are aware of all the components and endpoints of a transaction chain. This ensures any loose or vulnerable points can be identified and remediated before the supply chain can be compromised. Trust is required. This is where the contracting parties agree on an appropriate level of confidence in all components of the transaction chain, including the environment in which these components operate. This will ensure the integrity of the data can be maintained through the supply chain, from the organization to third parties and back.

Regardless of how much security professionals may wish otherwise, compliance will not go away. All parties involved in managing third-party suppliers from an information security perspective must agree to audits, or periodic inspections and security reviews if there are no agreed upon audits. These inspections and audits requirements should also extend to any fourth parties involved in provisioning these services. This includes requirements for non-compliant parties to be appropriately sanctioned. To ensure compliance, focus on end-to-end assurance across the entirety of the data supply chain for third party suppliers.