In today’s market there is an increasing need for management to get assurance and comfort that security is being managed and that risks are being minimised.
Product vendors need to provide explicit comfort to their existing and potential customers by demonstrating internal security maturity, industry compliance and product certification throughout the product management lifecycle.
Just to be clear, when I say product management lifecycle, that includes product research and development, product design, product development, component procurement, manufacture, product management, pre-sales, training, sales, logistics. It also includes the management of shipping/delivery, installation, administration/ management, product updates, support; and maintenance and end-of-life recovery/disposal.
I’m sure people will have opinions on this; however, I think product vendors (all of them) need to be open and transparent about what they are doing internally throughout the entire product management lifecycle—ignore this at your peril. Vendors' customers are waiting longer and seeking more assurance about what their vendors are doing to ensure their environment and products are secure. They are asking more detailed questions about how a vendor secures its internal environment, they want to know how security is embedded into all the product management lifecycle stages, and they want evidence and contractual clauses to back up the claims.
Typically, certification (e.g. common criteria) is used by vendors to demonstrate their product security. However, in my opinion, vendors who are open and transparent about their internal practices throughout the product lifecycle are more appealing than those who are a closed book. Vendors need to be able to answer questions before they are asked, and provide evidence to support the answers.
Vendors should identify and implement an industry accepted maturity ranking system (e.g. ES-C2M2) or something that provides a way to assess key elements of internal practices. This includes risk management, asset, change, and configuration management, identity and access management, threat and vulnerability management, situational awareness, information sharing and communications, event and incident response, continuity of operations, supply chain and external dependencies management, workforce management, and cyber security program management.
Once a vendor has done the assessment, they should work out how to prepare and publish the results to the market. You do also have the option of publishing sanitised internal audit results. Vendors should be doing the things that will give customers assurance that they are taking security seriously—more seriously than their peers or competitors. You never know, this could be the tipping point in the customer selection process.
If a vendor is already doing all this, then they need to start focusing on a way to market what they are doing internally to protect their environment and secure their products.
Mark Jones is director at RMSEC.