Larger enterprises that rely upon upwards of 20,000 service suppliers are challenged with keeping track of what is ending up where. "It’s not just about supply chain, though," said Paterson. "It’s more and more cloud services. There is more being held outside the boundaries, and the enterprise is losing control of where their information is being stored."
For those who appreciate these concerns about losing control of where their information is stored, Paterson said, "It’s right to embrace all these new technologies and continue to outsource, but you need to look at the vendors and assess their security and check the data that is getting out. That’s a new piece in a security program."
Designing a vetting process for third party vendors
Conway said that most large providers will not take responsibility for a breach in their contract, but there are important questions enterprises should ask when doing their due diligence and choosing their outside providers.
"Ask 'who else are you using? Where else will my data go? Will that other service provide the security I expect?'," Conway said, but the enterprise always has to be aware of what they put in the cloud. "Contracts shift risk but they do not employ security," Conway said.
James Christiansen, vice president of information risk management at Optiv, said, "There is no one size fits all when it comes to third parties, but enterprises have the ability to define the amount of risk they have and match it to the amount of due diligence to that risk."
What enterprises should be looking for is the maturity of the vendor's security practices, but they also need to communicate their expectations to the vendor. Christiansen said, "Security language is needed in the contract to hold them accountable, and we do see instances where the appropriate controls are not communicated and the right level of expectation is not given to that provider."
Sign up for CIO Asia eNewsletters.