At Digital Outcomes 2023, Art of Procurement was pleased to have Jo Peterson, Vice President Cloud & Security Services at Clarify360, as one of our speakers. She has expertise in cloud, cloud security, and cybersecurity. Perhaps more importantly for the procurement community, she also understands the business considerations and implications of cyber risk. Jo was so thoroughly prepared for her session that we asked to share her notes in the form of a Q&A.
If you would like to learn more or connect with Jo, you can access her LinkedIn profile.
Q: From a financial standpoint, what are some of the implications for organizations with weak security posture?
A: A breach is a bad thing all the way around, and cybercrime costs small businesses disproportionately more than big businesses. For large corporations, the financial impact of a breach may run into the millions, but at their scale, the monetary implications are barely a blip on the radar.
According to the 2021 Cost of a Data Breach Report from IBM and the Ponemon Institute, the average cost of a data breach in 2021 was $4.24M, a 10% rise from its average cost of $3.86M in 2019. Even more troubling is the report’s finding that the longer a breach remains undetected, the higher its financial impact.
For example, data breaches that were identified and contained within 200 days had an average cost of $3.61 million. But breaches that took more than 200 days to identify and contain had an average cost of $4.87 million ― a difference of $1.26 million.
Losses happen across a number of fronts— intellectual property, customers, and brand – once the news gets out that a company has been breached), but folks sometimes forget about the after shock. It costs a lot of time and money to remediate. There are things like service credits or other refunds issues to impacted customers, lawsuits from customers and/or partners, fines from regulatory agencies, and, maybe the biggest spike in recent years, higher insurance premiums.
Q: What are the major tech shifts procurement should be aware of for the impact they may have on cyber risk?
A: In terms of tech, maybe the biggest shift in the last 10-15 years has been cloud. Cloud has shifted the way organizations procure infrastructure. What was CapEx spend for 20 years became OpEx.
And then the COVID pandemic caused organizations to change where and how people work. All of a sudden, even legacy organizations, small businesses, mom and pop shops—everybody– was forced to use cloud and SaaS to allow their employees to work and to allow the organization to service clients. Modern, cloud-based platforms like Zoom, Slack, and Salesforce enable knowledge workers to collaborate efficiently from their homes. As beneficiaries of this shift, public cloud hosting providers like AWS, Microsoft Azure, and Google Cloud have seen phenomenal success.
According to Gartner, the spend on cloud providers increased to $178 billion in 2022 from $141 billion in 2021. That’s a 26 percent increase in 1 year.
From a security perspective, customers used to host applications in their own data centers and had full control of their environments and security. Customers operated in a ‘walled castle’ where the network and applications were secured and controlled by them.
When customers adopt public cloud providers, security is a shared responsibility model between them and the cloud providers. For example, if a customer stores data in the AWS data center, the customer has to configure and manage their own cybersecurity policies. AWS does a great job, but security with public cloud is definitely a shared responsibility.
Q: What is the best approach for crafting RFPs to address security needs?
A: There are two key ways to address security needs via an RFP: the technical security content that needs to sit inside the RFP and the security considerations for the contract vehicle.
Be sure to ask about architecture, implementation, and tuning. Ask general questions that aren’t too technical and are applicable to most security products and security software:
- Describe your implementation and tuning process for a new customer.
- What points of technical integration do you expect we will need to perform?
- Are there any third-party licensed products that we will need to purchase? What might these be and what are the associated costs?
- What type of access to our systems or network do you need?
- Where does my data reside?
- Data retention: How long will your company store data collected/created for or by us?
- Data destruction: What is the process for purging or destroying historical data after use?
- In the event we need comprehensive forensic data for an investigation, can you provide it and what can you provide?
On the contract side, make sure your legal team includes the following for the provider:
- Their obligation to notify you if they detect any breaches.
- Cooperation requirements if any incident is detected by them or you. This includes information or systems they would have to allow access to for an investigation.
- How they indemnify you (i.e. protect you financially) or compensate you for financial repercussions related to an incident. Providers often attempt to limit their exposure, but crafting broad indemnity agreements, ideally backstopped via an insurance placement, may be possible.
- Consideration of the level of access and sensitivity of data should guide the agreements. If a provider has access to highly critical information or systems which could result in significant loss of safety, money, or your reputation, you may consider adding a clause to audit your provider for cybersecurity practices. This clause is typically added only in high-risk situations, and also depends on the provider’s willingness
Q: Since software is such a large part of the enterprise IT budget, can you talk through basic, intermediate, and advanced criteria to look for in off-the-shelf software products?
A: Worldwide IT spending in 2022 passed $4.4 trillion, an increase of 4% over 2021. According to Gartner, one of the fastest growing categories of technology spending in 2022 was software, at $675 billion, up 9.8% from 2021. Depending on which analysis you read, software spend is 20-30% of the IT budget.
Here’s the tricky part: software is an amorphous term like ‘cloud;’ it can mean lots of things. Part of the definition includes software as a service products for things like accounting software, HR software, CRM, etc.
Companies think they are secure buying off the shelf software or SaaS products but that may not be the case. While there are best practices, there are no mandatory guidelines for security in this space.
If you are buying a SaaS product, it is a good idea to have a checklist of basic, intermediate, and advanced ‘must haves.’
Some of the absolute must haves for SaaS:
- Look for the words “SSL,” “TLS,” or “encryption in transit.” If they don’t use or claim to use SSL, stop now and fail them immediately.
- If you are looking for a product that ingests your data, look for any claims of “encrypted at rest,” “database encryption,” or “disk encryption.” As with SSL, if they don’t do this, fail them immediately.
- Watch for “Secure SDLC” or similar. This suggests they have built-in security reviews, automated security code scans, and other measures to stop security flaws from shipping. If they mention things like code scans, make sure this box is checked.
- Look for “PenTest” or “Pen Test” as keywords. This is considered basic because it is the first thing most companies do when asked to prove their security is reasonable. If they claim SOC2 Type 2, you can also check this box.
Content Security Policy (CSP)
- Most companies use a WAF to detect and stop common attacks, although companies don’t always mention it on their security page. This is basic security.
- Look for any discussion of DoS or DDoS protection. Companies don’t always mention this protection, but it should be basic for everyone.
- Vulnerability Management–Also called “Patch Management” is also a basic measure that everyone should be taking. It is alarming if this isn’t mentioned given that 80 percent of an application’s code is comprised of third-party software libraries (per the GitHub State of the Octoverse report). It takes real work to stay on top of vulnerabilities in dependencies.
Q: How can a periodic security health check approach by procurement benefit the organization during mid contract term to actively help mitigate risk?
A: The long-term objective is to create a sustainable evaluation and monitoring framework in collaboration with your supply base. Best practices include establishing an evaluation framework that becomes a living document.
This framework will also be useful for onboarding new suppliers. Some things to consider are understanding if there is a single point of contact for assessing how cyber protection is embedded in procurement activities. Some procurement teams have a dedicated cybersecurity resource. It may be worth taking a basic general course in cybersecurity or reading an entry level book to familiarize yourself with some of the key terms.
Q: How can procurement increase their working knowledge about cybersecurity?
A: To be a leader in procurement, the job description may need a wider scope – trusted advisor, financial guru, and now security guard! Tech is not short on terminology. In order to produce a good RFP or have a solid conversation with a supplier, you need to have a basic understanding of the terminology
- Taking a cybersecurity class for beginners.
- SANS Cyber Aces Online courses are offered for free by the SANS Institute. This organization is highly regarded in the field of information security and has been conducting research and education programs for three decades.
- Microsoft offers a free 6 module class that is about 2 hours long and covers cybersecurity basics.