Think of Security as a Main Ingredient, Not the Icing
To help your business stay competitive, employees must work more efficiently than ever. So they’re adopting new tools to help them work faster and smarter. But how do you make sure that the technology and those third-party suppliers they’re bringing on board don’t pose additional risk for your company? An immature organization will jump into a contract and start buying software before anyone in IT has reviewed the architectural and design specs. On the other hand, a mature company recognizes the importance of designing security throughout the procurement process to ensure visibility and accountability across the supply chain.
Bake security in, don’t slather it on
“People think of security as icing. They build the cake and then realize, ‘Oh yeah, we need that security icing.’ So they put that icing on at the end, and then the threat actor comes along, scrapes off the icing, and there’s the whole cake for them,” says one expert. “You cannot do that. It has to be one of the main ingredients of the cake. Not just the icing.”
When you engage security and IT as an integral part of your procurement process, you help to ensure the products and services you acquire meet your company’s security and technical requirements—and save some major headaches in the future. Here are some guidelines to help you:
- Partner with IT & Security from the start
Get security and IT involved at the beginning to provide input on technical requirements and help you choose the suppliers and products that best meet those requirements. This will also help you to promptly address any issues that arise. Ideally, you will have a Chief Information Security Officer (CISO) driving the security piece in your procurement process.
- Create security policies
Develop procedures that state the roles and responsibilities of the security and IT teams within procurement. In addition, include guidelines around assessing your third-party suppliers’ security and technical capabilities.
- Develop a workflow for onboarding new technology
Create a procurement workflow unique to your organization’s business needs. Include each component that requires reviews, such as the technology, architecture, project plan, and third-party management.
- Develop metrics and reassess regularly
Follow-up and continuous monitoring are just as crucial as onboarding when it comes to new technology. The application may have been the perfect fit for your business needs at one time. But things change, and technology has to either evolve or be replaced as requirements change. So establish metrics to measure performance levels and reassess quarterly to ensure your business needs and security requirements are still being met.
- Manage suppliers post-implementation
Working with third parties can introduce additional threats to your business, especially when you’re dealing with suppliers who will have access to sensitive company information or systems. Having clear policies for granting, monitoring, and revoking third-party access is critical. This includes guidelines for managing passwords, access privileges, and data retention. It’s also essential to have a workflow for removing access when you no longer work with a supplier.
Prove ROI to Senior Leadership
Most importantly, you have to prove your value to company leaders. And that’s exactly what you’ll do when you can show executive leadership that due to the collaborative efforts of your procurement, IT, and security teams you were able to mitigate risks like data breaches, compliance issues, theft, and more.
Ready to Learn More?
Read the full Ebook to learn how to truly bake security into your procurement process.Read the Ebook