Data is the lifeblood of today’s economy. Companies rely on the timely and accurate flow of data between entities to sustain services, products, growth and profit. This kind of data chain makes security an ecosystem consideration. As JUMO’s Chief Information Security Officer and Head of Risk, Rob Bainbridge is constantly looking at the next step in third party risk management. He explains why intensified collaboration is the future in information security.
“Ecosystems like JUMO’s enable people to use their digital identities (data) to enhance their lives. Our ecosystem gives customers access to financial products previously unavailable to them. Data travels between JUMO and its partners constantly to achieve this. We are parts in a system that begins and ends with a customer. In creating this powerful data chain, an attack surface is created.
Yet how we protect data is often disjointed. Each member of the ecosystem protects the data when it’s in their possession and relies on Third Party Risk Management to bridge the gaps when it is not. For valid reasons these two approaches are different. There is inherent and residual risk at transfer between two entities and the latter is worsened by the siloed nature of risk management. After a data breach, parties will often move quickly to distance themselves from it, later implementing additional due diligence and oversight. The reputation of the breached entity then suffers and the cycle continues.
It may be appropriate to describe the services, products and agreements as ‘third party’, but it doesn’t work well for information security. By definition, a third party is a party outside the primary system, making the term inappropriate in the field of information security. Security relationships at arm’s length — upfront due diligences, sporadic outside-in monitoring and audits — all reiterate the clear delegation of accountability for each data handoff. They don’t, however, necessarily enable the collaboration needed to secure the entire chain.
While data protection regulation aims to protect people’s privacy by holding those in possession of the data asset at the time of a risk event accountable, misunderstanding of the purpose of regulation can exacerbate the inadvertent ‘us vs them’ dynamic detrimental to the customer (the data owner). A chain is only as strong as its weakest link, and as more data-related services are included in the data lifecycle, this risk of having a weak link increases.
Partner Security Management
This is an idea of security risk management in the spirit of Ubuntu — “I am because we are”. Rather than creating a single-strand chain and focusing purely on building better defences for each link individually, we work together to raise the level of security for an entire ecosystem. This creates fewer single points of attack by adding more layers of defence.
Working with partners leverages the collective power of diversity, skills and capacity, which can allow an entire ecosystem to benefit.
In any partnership, the overall security level of the system typically decreases to the level of the weakest member, making the ecosystem more vulnerable to supply chain hacks. Defences within an ecosystem of partners will be varied because of skills, experience, priority or maturity. Working together to bridge gaps can lead to an overall improvement of security for the entire ecosystem over time more effectively than relying on ‘arms-length’ agreements. Rather than trying to transfer the risk, we can put in the hard yards to reduce risk together. These can be technical and people activities like:
- Including a partner in external vulnerability scans.
- Establishing and testing response capabilities for incidents over shared assets.
- Performing breach attack simulations against and with partners.
- Sharing intelligence, news and risk information.
To achieve this vision of partner security management and to overcome situations where competitors exist in the same ecosystem, security principles are needed. Here is a suggested list:
- Acknowledgement that not all security teams have all the components needed to defend against all threats.
- Security positioning — understanding that security is motivated by means beyond profit and can be incentivized at a company, industry or government level to focus on what is important, which is in this case the protection of customer data.
- Proactive engagement during the lifetime of the partnership, not only after a risk event.
- Collaboration and sharing through bi-directional monitoring, exercises and communications.
- Shared goals and OKRs related to ecosystem security improvements for true and business-aligned motivation.
- Trust — built over time and leveraged when needed.
The concept of partner security management is one step forward to building true ecosystem security through relationships. To move beyond ‘us vs them’ dynamics resulting from traditional contracting, we must increase collaborative effort to reduce weak links in the ecosystem globally. Together we can solve security challenges and raise the strength of our defences at an industry level through engagement, sharing and trust.”
Thanks to Rob Bainbridge and James Clarke
