Bringing External Assets Under Your CSP

At Pythia Cyber we aim to blend behavioral science with cybersecurity to improve effectiveness and team dynamics. In the usual case we are helping you create, manage and maintain your internal cybersecurity program (CSP) but increasingly we are asked about how to manage cybersecurity threats to assets external to the organization.

In practice, these external assets fall into one of two categories: assets owned by you but stored in the cloud and assets owned by someone else but used by you. The most common example of the second category is a software tool you use in your products which you buy or license from someone else. In other words, part of your supply chain.

Just about all organizations these days have some exposure to the cloud. Generally only manufacturing concerns have digital supply chains. Some organizations have both of these issues. In either case, the problem is the same: these assets are not under your control: how do you apply your CSP to them?

The Cloud

One of the reasons you use vendors to manage assets in the cloud is to be free of the burden of actually administering the systems that hold those assets. You should only take this step if you trust the vendor in question. However there is no reason for that trust to be blind trust. You are allowed, expected and encouraged to verify that your trust is earned.

In practice this means regularly reviewing the vendor's policies to make sure that you agree with their choices and frequently reviewing the evidence that that vendor provides to prove that they are taking good care of your data. This feels uncomfortable, at least at first, because you are looking over someone's shoulder in order to make sure that they are doing their job even though they don't work directly for you. But this discomfort is not warranted: the vendor does work for you in a real sense. The vendor should be happy to prove to you that they have an active and effective CSP, since such a CSP requires them to generate and disseminate evidence internally. It should be no great stretch to provide you with a version of that evidence.

This means that you can slot their evidence into your CSP at the appropriate level and then your CSP can report the evidence up the chain inside your organization. There is nothing magic about someone else's Cybersecurity Engineers (CSEs). They should be doing what ever other CSE does and you should have an idea of what that is.

You can't hire or fire the CSEs, of course, but you can change vendors if you need to. In fact, when choosing vendors the cybersecurity policies and evidence options should be part of your checklist. A great deal on cloud services is not a great deal if the cloud is insecure or badly backed up.

Your Supply Chain

Extending your CSP to cover your supply chain is fundamentally similar to extending it to cover your cloud vendors: you need to make sure that they policies match your values and that they have evidence that those policies are implemented effectively.

Again, it can feel awkward to ask for such evidence, but rest assured that this is a reasonable thing to do. There are not yet  universal standards for evidence so flexibility is required with agreeing upon what evidence is acceptable.

What is universal is the need for earned trust between organizations and their vendors so that organizations can make sure that their cybersecurity standards are being met across their digital footprint even as that digital footprint now crosses organizational boundaries.

It Starts With You

If you are going to demand evidence from other organizations it behooves you to be doing the right thing yourself. If you are going to be negotiating what kind of evidence you will accept you will need to have experience with how summarized you need your evidence to be. If you are going to extend your CSP to cover someone else's work you have to have a mature, functional CSP first.

Creating a CSP is a well-defined task which should like the C-suite with the Cybersecurity group and then just about every other part of your organization. There is much work to do but many people to do it. Think of your CSP as a layer cake with evidence as the filling between layers. Having a CSP is part of the cost of doing business in the 21st century. You can do it. We can help.