Welcome back to the journey of rediscovering optimal supplier risk communication from both sides of the table!
To recap, so far I identified challenges to faith that have crept into the system through abuse of the two main tools most often used to build Trust around InfoSec objectives in a Buyer / Seller relationship.
At this point I can imagine a few camps developing ready to love or hate my perspective so here is a quote I heard recently in Brene Brown's book, "Dare to Lead" which I hope will carry us a bit further on this journey together.
"In the past, jobs were about muscles, now they’re about brains, but in the future they’ll be about the heart." —MINOUCHE SHAFIK, director, London School of Economics
Let's explore what happens if we need to see or demonstrate more confidence in this problem space populated with potential free riders willing to gain a buck at any cost while the rest of us invest reasonably to keep the mean as high above "we would care less about our customers if we could" as possible.
To start Bold, consider the ideal alternative or enhancement on the Supplier side. Why not aim to have the Pride in your IS program sell your product for you? Think beyond the initial cost of kicking your audit program up a notch or two and the impact of the initial few deeper dives. What will you get if you invest in more or better controls testing with higher skilled resources for the wider ROI as suggested earlier? Higher confidence that desired outcomes will occur with less surprises? Higher efficiency due to well designed and maturing IS controls instead of patchworks that barely pass and create friction and exception churn? Stronger accountibility to avoid loopholes that trip you up eventually? Automation to simplify and give your human innovation machines far more interesting challenges to overcome and propel you to even higher heights? True, higher cost as well but those are some fine outcomes, no? It's what we all dream of on the IS leader side so it had to be said even though we all know it is HARD to deliver.
It would be unfair or plain naive if we didn't acknowledge that this is hardest to achieve and scale for larger orgs with a variety of products that are constantly evolving and the technical debt that inevitably comes with distance on that journey. For the rest who still prefer to hide or to accept they have to remain ignorant of their risks because their market, threat population, regulatory universe, or soon to be exited position provide a challenge (or opportunity), it is simpler overall to skip the cost and lose some small % of their opportunities because avoiding the cost provides the incentives that still win the short term game. There were plenty of customers who bought the Yugo and Corvair, right?
When we consider the deeper option on the Buyer side we have to address a few unfortunately common Seller responses that can hinder our effectiveness.
- Some traditional IS leaders consider the exposure of even high level details about IS strengths and weaknesses as Operational Risk. These leaders choose not to let content off their premises beyond their third party reports. To speak plainly it does feel a bit insulting to the assessor when the Seller's IS do not trust their peer who is simply trying to execute due care as defined by their context. For the supposed safety this stance provides, this argument seems counter intuitive to me. If we assume that the set of possible permutations of technical architectures is relatively small then the only benefit to not sharing the policy level objectives of the company is what? Do they expect us to tell our business that the Seller's team is somehow more trustworthy because they might actually have a different way of spelling encryption to explain why the Seller is hiding their cards? Their policies shouldn't say anything too precise anyway. So what is the real risk of sharing or the benefit of not sharing? (Besides cost of sale for the longer discussion of course.) Do they want to force you to come onsite for anything they're not willing to cover clearly in the third party audit? Hmmm...there we might be on to something. Unfortunately there is a potentially exploited benefit for the Seller in this seemingly honor-worthy position that Buyer's should be conscious of. Sellers know the cost of an on-site visit from your perspective. They can easily guess the probability of you coming on site, just by talking to the Buyer and assessing their level of need, urgency, vestment in their employer, or comfort with failure before they engaged IS for diligence. If the Seller has a higher tolerance or less fear of losing the deal, or worse, fear that bad news you might discover could leak despite the NDA, there is Opportunity in suggesting you come on site for those Sellers who aren't actually ready but are willing to claim they are. Most if not many Buyers will blink in this game of chicken and not spend the travel cost to verify--to the Seller's gain by incentivizing their fraud. How to spot this play: Buyer's IS should watch to see if the IS pro is delivering responses alone or if they are carefully accompanied by someone from Sales or Legal who seems willing to push back on even your simple requests. While you work hard to help the IS pro tell their best possible story on the other side, you notice the parties with the more vested personal interest in the deal push back more than the IS pro on your requests. If you encounter this, consider they may have a playbook tuned just for those specific areas. If they escalate against you after touching a specific area--or worse if you try to go deeper at all--, you know you've found something risky to their reputation and it will likely be difficult to get enough facts to even justify a finding. Be careful. Unless you are working a High Inherent Risk, it probably is not the right time to expose their game. Back out of the conversation respectfully to your likely honorable and embarrassed peer and talk with your business about how valuable the solution is and how much they really want to know. If your Buyer still wants to know, go back in and watch for other shame triggers and opportunities to tie requests together till your peer can find a way to honor their code of ethics without destroying their current unfortunately shaky stepping stone on their career.
- Sellers could insist on self assessments (e.g. SIG, CAIQ) which they themselves created. These unfortunately come with a dare: "Go ahead. I did all this work. I dare you to tell your Buyer that it's useless as verification.". Not much you can do with this one but grin and bear it and leverage any formal QA standards you have to explain why verify means seeing evidence of either reality or a third party challenge of the reality, not a crib sheet.
So let's talk about those alternatives for the Buyers.
- Buyers could join a consortium or just trust the regulator to do the work for them. What if their standards or their assessors lack the depth to keep up with the Technogy or Threats for a particular Supplier's risk case? The power of the many in a buying relationship can be useful however it often leads to homogenization of the expectations and could potentially enable assessment with lower cost skills or a decision driven by a few higher risk tolerant entities. In the case of many of the old but also the most emerging technologies it is often the highest risk tolerant who drive prioritization of the security features and make the decision. This could mean the decision for the less risk tolerant becomes not "Take it or leave it" but "Take it as is with all the risk and an extended period of not knowing or fall behind." again at the benefit of the exploitive Sellers.
- I could leverage services that will give me more Intel and ongoing oversight. Unless the Seller had allowed the service deep monitoring and even if they did, I have to monitor the checker because they too are a Capitalist and might choose to cut a bit here or there on their journey. Overall this isn't such a bad approach if you have the resources to tie the output to your IS objectives so the Intel can be triggers.
- For the sake of the spectrum, what if the buyer gave back? What happens if I am lucky enough that I could hire and offer higher skilled IS professionals as Opportunity to the Sellers who are smaller. If their tight margins and tight IS operational budgets don't allow for improvements in confidence around documents and stories to tell, I can help them through the partnership for a shared win. I could help them see that the work they did to respond to my Seniors, if packaged effectively, could be immediately reusable and add to their value story for their next client pursuit increasing the probability of a win through leverage? Of course I have to be careful to avoid liability risks but still wouldn't this be a better Buyer/Seller relationship after we helped the business leadership understand the win-win?
With all this to worry about some days I wish we had a Yelp for suppliers. We could simply vote without the comments and relatively anonymously so the skills and budget available to the larger Buyers could be shared with those who have less. Then they get the benefit of greater resources without the “take it or leave it” position tired and worried IS pros working hard at smaller (and larger) firms are left with.
Unfortunately it seems like there are more strategies that the Buyers can leverage in this as the Sellers are always going to be pressured by the cost of sale and the push for the next higher quarter to drive to the lowest mean we accept.
Maybe you know a few the Seller can use to be innovative instead of exploitive or evasive? Please do share if you do as we all need to be better friends and citizens than this or it's all going to degrade to more Anderson's and GE's skirting every boundary to make the quick buck until that's the only ethics the entire culture understands.
Well, stay tuned as I'm going to break this here and come back later with a few other innovations I hope the ambitious few Sellers might try. There just has to be a better partnership to keep all of us and the Joneses running faster than the bear and I know we won't find it without some "Rumbling with Vulnerability".
No comments:
Post a Comment