Facilitate the integration of partners for the sake of security
By Ray Kruck, CEO and Founder, Tugboat Logic
Third party risk remains an important issue for businesses. Just because they’ve done their own security due diligence doesn’t mean their partners have done theirs. The case of Solar Winds is a perfect example.
For startups and small businesses, when it comes to partnering or merging with large companies, they can’t assume that one partner has taken care of everything related to security or their approach. “One size fits all” will not exceed your security compliance burden. . They have to be absolutely safe, and that also means not being pushed into taking too much risk.
Small businesses must also take responsibility
It can be tempting to take a head in the sand approach rather than conducting your own vendor risk assessments, as these can be a significant burden. But sooner or later, you probably have to – especially if you get SOC 2 or ISO 27001 certification.
Common certifications like this require your business to perform a vendor risk assessment for all vendors you’ve integrated with, whether you’re a 100-person startup or a two-person business.
Instead, many small businesses and startups rely on their cloud infrastructure providers to cover it all. But if you go for attestation – even if you don’t do a full, audit-ready certification like SOC 2 or ISO 27001 – you’ll need to gather minimal information to perform a basic verification of your partners. . You might need to access Amazon Web Services (AWS), for example, and download / get access to their publicly available information about AWS security protocols to verify the security of their infrastructure. And that might be hard to follow and hard to understand; it can be difficult to know what to collect and what constitutes enough information.
The good news is that the major cloud providers know this is a requirement. So, they put this information to the fore for the customers these days. This was not the case a few years ago.
Key Considerations for Third Party Partners and Security
For the business working with the partner (or merging with a larger business), it is essential to take the time to answer these questions:
- What data will I collect or process in and out of this secure third-party solution that I use?
- What solutions do I use within my own business that are part of the service I offer to my client?
- What do I put in my client’s network?
- What’s left in my app?
Then you need to figure out how to take advantage of many of the services already available from these cloud providers, especially the big three: GCP, AWS, and Microsoft Azure. These companies already provide a considerable number of security controls for SMB customers, but most do not use them or use them incorrectly.
But on the third-party risk management side, large companies tend to shift as much risk down their supply chain as possible. Startups and SMEs can end up with onerous contractual obligations, if something goes wrong the smaller company will be responsible.
Startups need to make sure that all the responsibility lies with them when they partner with a larger group. As a newer smaller company, you need to be prepared at all times to provide proof of your security posture or allow the larger company to audit you. This process needs to be somewhat transparent, and you need to make sure you’re only showing them the things they really need to look at – and nothing fancy that could give the wrong impression. Many companies fail to even establish a basic readiness level, which can lead to an even more in-depth investigation from your partner.
Take advantage of the services offered by your native cloud provider for the security and resiliency of application hosting. When integrating third-party services into your own application, don’t just focus the necessary level of resources and investment on go-to-market, but also on technical integration. What many companies often do is purchase additional services from a large vendor, such as in “Can I just purchase X hours of support services to manage the integration project?” “
Think of your partner onboarding project like any other IT project with defined milestones, deliverables, and dependencies that are factored into the scope of your project. Check if you need an integration outsourcing partner to reduce the risk of a successful joint development effort. It is important to reserve 10 to 20% of the cost of the partnership towards integration services. This way you get priority help because if you only rely on your platform your partner might not get priority help.
Understanding the fine print
It may be obvious, but we still forget it: read the fine print of your partnership agreement. Depending on how you use the data that goes through this API and how the data is handled back and forth, you should assume that if something goes wrong – and it can – you will likely be blamed.
This is why it is so important to make sure that you have done your due diligence. Review all API integrations with third-party services, large or small, and understand that they could be leveraged.
For several reasons, if there is a vulnerability, you will have the shortest. You will have to report this vulnerability and provide an explanation. And in some cases, it can destroy your business, your business model, or the quality of your solution. So understand what you’re signing up for, understand how committed your business needs to this integration, and take integrations seriously.
Built-in due diligence
At a fundamental level, it is imperative for any business to control third parties and the risks they might present to their infosec requirements. Thus, compliance and security are key factors when onboarding new technology integration partners. Consider the above best practices that you will need to apply when engaging with a partner and use them to incorporate third party due diligence into a security program.
About the Author
Ray Kruck is the Founder and CEO of Tugboat Logic, Inc. He has a career spanning over 24 years in corporate security with leadership roles in business development, marketing and sales at several premier companies. plan, including Check Point Software, Proofpoint, Websense, and Voltage Security. In 2011, Ray co-founded Nexgate with a revolutionary platform to help brands discover, monitor and secure their brand’s social presence. Nexgate was acquired by Proofpoint (NASDAQ: PFPT) as their largest acquisition in 2014. After Nexgate, Ray co-founded Pointgrey Partners, an early-stage venture capital firm focused on deep technology games that disrupt the market. competition in the business and life sciences markets. Ray enjoys mentoring other start-ups through his participation as an associate in Canada’s leading tech mentorship program – Creative Destruction Lab. In 2017, Ray founded and became CEO of Tugboat Logic Inc, a safety assurance platform that harnesses cutting-edge technology and built-in guidance to automate and simplify safety management. Tugboat Logic helps customers prove compliance and transact more efficiently. To date, the company has raised over $ 15 million in venture capital and dominates its market with more than 400 corporate clients, more than 20 strategic audit and solution partners worldwide.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.