This blog was created from a recent episode of Device42’s podcast, The Hitchhikers Guide to IT. You can find the latest episodes here.
Cybercrime and cyber insecurity will be among the world’s most severe risks over the coming decade, states the World Economic Forum. Global spending on cybersecurity will exceed $1.75 trillion from 2021 to 2025, as the world combats new risks and threats, including those powered by artificial intelligence. Cybercrime is estimated to cause $8 trillion in damages in 2023, providing CISOs with plenty of incentive to evolve their programs, tools, and practices. Not only are data breaches expensive and time-consuming to clean up, but they damage companies’ reputation in the marketplace and their ability to operate and grow their businesses effectively.
It is against that backdrop that host Michelle Dawn Mooney welcomed Thomas “T.J.” Johnson, national leader of cybersecurity for BDO Digital, back to The Hitchhiker’s Guide to IT, to continue an important discussion on cybersecurity and vendor management. You can view part one of our interview here. These interviews – and accompanying blogs – provide IT and cybersecurity teams with key insights to evaluate vendors, structure contracts effectively, understand differing roles and responsibilities, and work together to improve security and incident response.
Understanding Vendor Incident Management Responsibilities
One of the greatest misapprehensions of working with vendors is the idea that they take on all risk for the partnership, says Johnson. “When you outsource something, there is maybe this misnomer or misperception that we’re just basically going to forklift this effort over to the customer or over to the vendor. And that couldn’t be farther from the truth.”
When company teams misperceive vendors’ responsibilities vis a vis incident management, unpleasant consequences can ensue. As a result, teams should closely review all vendor contracts, including roles and responsibilities and service-level agreements (SLAs) to see what is included and what isn’t included, said Johnson. A key place to look is the disaster recovery section which will spell out how a vendor’s incident management processed. In addition, many vendors will have separate SLA documents which will clearly describe their service commitments. Finally, many responsibilities are also spelled out in System and Organization Controls (SOC) 2 reports in the complementary user controls section.
Incident management processes extend beyond responding to security events, said Johnson. They include business continuity, resiliency planning, and availability. “If you think about the CIA triad, which is the holy grail of cybersecurity, which we’ve got the confidentiality, the integrity, and the availability, a lot of folks forget about the availability part. And I think that’s one of the pieces that we need to make sure that we have in place,” said Johnson. Vendors can experience performance issues or outages that harm system availability, and many companies are ill-prepared for these issues, he added.
“One of my favorite questions to ask is, do you know what you have to do if your vendor goes into disaster recovery mode? Do you have to do anything? You know, I think there’s a misunderstanding that, you know, if a vendor has an outage or something’s unavailable, that’s my vendor’s problem. Well, in reality, it is your problem too. I know you’re outsourcing something to a vendor, but if they have an outage, you need to make sure that you’re prepared for that,” stated Johnson.
Johnson gave the example of Microsoft Exchange Online for Office 365 and Microsoft 365. While it’s unlikely that Microsoft would have a disabling outage, companies should still plan for that reality to ensure that they can maintain high availability of applications and continue business operations.
Integrating Incident Response, Disaster Recovery, and Business Continuity Processes
To ensure continued resilience, companies need to develop plans, roles and responsibilities, and processes for incident response, disaster recovery, and business continuity. They should also ensure they are up-to-date, relevant to the latest business processes and technology, and well-practiced. For example, responding to ransomware attacks will require a coordinated effort across all three functions, Johnson said.
Jonson told a story of a client that moved old, upgraded equipment to its disaster recovery site. As a result, the company wasn’t able to do a full failover, which undermined its disaster recovery planning and testing. Being able to test processes and equipment in real-world conditions is essential, he said.
Best Practices for Working with Vendors on Incident Response
Host Mooney asked Johnson for his parting words of wisdom. He offered the following best practices for working with vendors on incident response:
- Incident response plans should cover vendors: Make sure you have a critical vendor list, what data they have, and why and how you rely on them. Update incident response plans to include critical vendor provisions.
- Review vendor roles and responsibilities: Talk to your vendors and scan contracts, SLA documents, and SOC 2 reports for roles and responsibilities.
- Participate in vendor disaster recovery testing: Many organizations offer the opportunity for partners to join them in tabletop exercises or testing to simulate responses to outages or other types of disasters. Johnson says he always takes advantage of these opportunities, and others should do likewise.
- Pressure-test scenarios: To make these exercises especially effective, don’t just simulate what you’re going to do: Say who you’re going to call. As vendors and partners work through this process, it often reveals people who are left out but should be looped in, enabling both to update their processes.
- Keep plans and technology up-to-date: Johnson urged listeners to keep plans up-to-date, commit to regular tabletop exercises, and only use current equipment in disaster recovery centers. “Don’t play the shell game with disaster recovery. Old equipment in the disaster recovery location is no good.”
By taking ownership of reviewing incident response processes, IT and security teams can ensure they work as expected when outages and other disasters occur. Teams can also work with vendors to evolve incident response, disaster recovery, and business continuity plans, improving their resilience in a world of growing risks and threats.
