In cybersecurity, you cannot delegate your responsibility

If you are responsible for some information or processes, you are responsible for their security from end to end.

Being responsible for something does not mean that you have to do everything. You can delegate tasks and subprocesses to providers, even critical ones, but you cannot delegate your responsibility.

If the customer is paying you for a service, the customer is making you responsible of the security of the service. If it is a service where the security is shared between you and the customer, that’s ok. But the part that is your responsibility, the customer expects that you own it.

Depending on your local laws you will be able to delegate some tasks or processes. Usually a lot of them. But if they are hacked, you are hacked. You cannot delegate that responsibility. You cannot rely fully on the security of the provider, and if you do, be mindful of the consequences.

If one of your providers is hacked, and because that, an attacker accesses data of your customers, you have been hacked. You won’t be able to say “It’s not my fault. My provider was hacked”. Or if you say that, you won’t be able to avoid some reputational damage at least.

The same happens with attacks against availability. If a provider you have is hacked and that affects the availability of your systems, neither a SLA, a contract, or “this provider is very good” will avoid that your systems are unavailable. If you need high availability don’t pursue it with SLAs, but with real security.

Do whatever is necessary to have the security that you and your customers want and need. I don’t say don’t use providers¬† but use them wisely.

Request and demand your providers to be secure. I did many ISO 27001 third party certification audits. I saw the same pattern many times: many providers don’t have a minimum level of security just because customers are not interested in their security. Then, when talking with the other side, with the customers, I saw the contrary: customers don’t asking about security because they assumed their provider should be secure…

If you have customer power, try to talk with the security team of your providers. Ask them about their processes and scope, and get information about how they protect, detect and react. Request excellent security.

Don’t assume anything from anyone. Just because it is a leader or a company dedicated to authentication doesn’t mean they are secure. Request security and evidence of it.

Besides requesting and demanding security to your providers, apply a zero trust policy here. How can my provider be breached? How can I detect if my provider has been breached? Can I implement something to be protected just in case my provider is breached? No. You cannot just rely on your provider. Obviously, how much do you want to monitor or protect depends on your risk appetite. If you try to be protected against everything you will be re-implementing all your providers processes, so that is not the objective, but you cannot just settle with delegating a critical process to a provider, sign some SLAs, and relax.

Please, rate this post:
[Total: 0 Average: 0]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.