"Keeping it REAL with your Security Vendors"

Robert Pace - VP/CISO, Invitation Homes

Robert Pace - VP/CISO, Invitation Homes

Today’s technology landscape continues to evolve at a dynamic rate, and Information Security must match that rate of change to maintain a sound security posture for the organization.

Security leaders, regardless of reporting structure in the organization, step into a new role that focuses on Security Vendor Management.  This is not placing the vendor in a box and limiting their operation, but moreover enabling the vendor to be more in alignment with your established security program.  It is setting the framework for an alliance to unlock more of the services and resources of the security vendor.  Yes, this is different from the past views of not allowing a vendor to have too much of the dollars and we as security leaders held that position firmly.  “Compartmentalization” of security vendors does not provide the best result for the complexity of risk that we as Security leaders must mitigate in order to enable business operations to grow. Therefore, more engagement of security vendors is essential. 

"The technology of today requires a new position, which has been fueled by the emergence of cloud services"

Why the change?  The technology of today requires a new position, which has been fueled by the emergence of cloud services. All aspects of business are using vendor-provided cloud services to some degree. Marketing, Human Resources and Sales -- to name a few -- are using cloud services and leveraging the vendor relationships to achieve their business objectives. Why should Information Security not adapt to the concept?  This is the point of “Keeping It REAL with your Security Vendors.”

Fundamental  elements include establishing vision, strategic approach, and relevant framework for your organization.  Upon establishing these elements, the “operationalization” aspect becomes critical. The operation/delivery is the engine. To get even more strength in your operation/delivery, leverage input from your security vendors. The word “REAL” in the topic is an acronym, to assist in you enhancing your security vendor relationship. 

• R – Recognize the need for the security vendor. 

This is not merely outsourcing all of Information Security.  Understand your area of need and align with the security vendor that provides that area as a core portion of their business. Review the security vendor’s product roadmap and inquire on the investment dollars for continued relevance.

• E – Expand your internal team’s perspective on how to effectively engage the security vendor.

Prepare your team on the usage of the security vendor. Clearly explain how the vendor is to enhance the service delivery. The vendor’s place in the market is to provide the services needed. Remember, the security vendor is working for you!

• A – Articulate your full plan to the security vendor.

This could be the challenge, but the pivot of fully articulating your security program is important.  This is not merely stating we are NIST, COBIT, MITRE or PCI aligned, but share the performance/delivery of your program. Discuss the culture points, share the budgeting, share challenges you are encountering, and ask for feedback from the security vendor. 

• L – Lean-In with the security vendor.

Understand the security vendor has a wealth of resources and connections in the industry. Do not be afraid to leverage this to gain insight on trends or emerging challenges. Additionally, volunteer to test new beta services. Provide points to the security vendor on potential enhancement and articulate this in a manner that will help the vendor with tangible information. The usage of the beta services will be beneficial to your program and provide good feedback to the security vendor.

Read Also

Intentionality Is The Key To Increasing Diversity In Information Technology

Intentionality Is The Key To Increasing Diversity In Information...

Rosemarie Lee, Vice President and Chief Information Security Officer at BlueCross BlueShield of Tennessee
Dear CIO, You Must Support The CISO: It's For Your Own Good

Dear CIO, You Must Support The CISO: It's For Your Own Good

Christos Syngelakis, Group CISO, MOTOR OIL [MOH: GA]
Ensuring Cyber Security through Cloud technologies

Ensuring Cyber Security through Cloud technologies

Eric McKinney, Enterprise Infrastructure Director, G & J Pepsi-Cola Bottlers