Reliably protecting systems and data over time requires the disciplined execution of a robust security program that spans an entire enterprise. As a former CISO and now advisor to third-party risk management teams, I’ve seen some vendors take the contrary position, arguing that customers need only be concerned with the security of the systems that host their data.
Rarely can risk be contained to one set of systems and not be impacted by the threats and vulnerabilities of the surrounding systems and people. Grounding your third-party assessments in a correct, practical understanding of the cyberthreat landscape will compel you to be concerned with your vendor’s complete enterprise cyber-risk management program, and not just the systems that you use.
We offer three points to consider when faced with a vendor’s “contained risk” argument:
1. Data that can be moved will be moved. On paper, most application stacks are well bounded, supporting the argument that risk is contained to a limited…
