Security professionals want assurance from their vendors

In today’s market there is an increasing need for management to get assurance and comfort that security is being managed and that risks are being minimised.

Product vendors need to provide explicit comfort to their existing and potential customers by demonstrating internal security maturity, industry compliance and product certification throughout the product management lifecycle.

Just to be clear, when I say product management lifecycle, that includes product research and development, product design, product development, component procurement, manufacture, product management, pre-sales, training, sales, logistics. It also includes the management of shipping/delivery, installation, administration/ management, product updates, support; and maintenance and end-of-life recovery/disposal.

I’m sure people will have opinions on this; however, I think product vendors (all of them) need to be open and transparent about what they are doing internally throughout the entire product management lifecycle—ignore this at your peril. Vendors' customers are waiting longer and seeking more assurance about what their vendors are doing to ensure their environment and products are secure. They are asking more detailed questions about how a vendor secures its internal environment, they want to know how security is embedded into all the product management lifecycle stages, and they want evidence and contractual clauses to back up the claims.

Typically, certification (e.g. common criteria) is used by vendors to demonstrate their product security. However, in my opinion, vendors who are open and transparent about their internal practices throughout the product lifecycle are more appealing than those who are a closed book. Vendors need to be able to answer questions before they are asked, and provide evidence to support the answers.

Vendors should identify and implement an industry accepted maturity ranking system (e.g. ES-C2M2) or something that provides a way to assess key elements of internal practices. This includes risk management, asset, change, and configuration management, identity and access management, threat and vulnerability management, situational awareness, information sharing and communications, event and incident response, continuity of operations, supply chain and external dependencies management, workforce management, and cyber security program management.

Once a vendor has done the assessment, they should work out how to prepare and publish the results to the market. You do also have the option of publishing sanitised internal audit results. Vendors should be doing the things that will give customers assurance that they are taking security seriously—more seriously than their peers or competitors. You never know, this could be the tipping point in the customer selection process.

If a vendor is already doing all this, then they need to start focusing on a way to market what they are doing internally to protect their environment and secure their products.

Mark Jones is director at RMSEC.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mark Jones

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place