Imagine these scenarios:
Your company is in the news. Records have been lost and thousands of customer data files may have been compromised -- an all too common occurrence in the past twelve months.
Your corporate training department has asked an external vendor to host a Web-based training curriculum. Now you discover that it contains a treasure trove of corporate intellectual property.
Your corporate security department is conducting an investigation of a lost laptop belonging to a key executive. They have strong reason to believe a competitive intelligence agent stole it. No encryption was used and no tracking software is available on the laptop.
The stakes of these breaches are high and getting higher every day. Considering more than 30 states now have privacy and data breach notification laws, it's no wonder share prices can drop like a stone. The causes of these breaches are many and corrections are time consuming. How many of the problems mentioned could have been (at least) mitigated by having the proper security language in a contract? Enter the purchasing team. Purchasing plays an important, yet often overlooked role in deploying proper security throughout the enterprise. This tip looks at the role of purchasing and offers advice for educating your purchasing team about security to create a solid security/purchasing team.
As security practitioners, we seem to forget that most projects go forward without our knowledge of their existence. Certainly we engage purchasing when our projects are on the line, but what about when the records management folks decide on a new offsite storage facility? Purchasing is involved in every project because they are the ones who negotiate terms and award the contracts. They can become our eyes and ears into nearly every project IF we engage them properly and teach the corporation's security needs.
So, how do we teach purchasing about security concerns? Here are four steps to get you started:
The easiest way to demonstrate the importance of security is to share results of current investigations. It is a sobering experience to see an email or document clearly outlining an employee's desire to steal or give away intellectual property. This is especially true when specific dollar values can be assigned to the theft. If you don't have your own cases to share, use external cases. There are plenty of examples available. Most have resulted in permanent customer loss, share price decrease or simply negative publicity. These types of cases get people's attention quickly. Additionally, encourage the purchasing team to be an extension of the security team. Instruct them to involve security in daily negotiations and contracts.
Learn to include the purchasing group in the request for proposal (RFP) process. They don't need to be involved in the initial vendor reviews, but once the field is narrowed down to two or three candidates, purchasing needs to be an integral part of the evaluation team. This helps raise the level of mind share that purchasing has of security. Most technical security projects need the input of business groups to gage the impact of the project on normal business processes. Use the purchasing team as one of those business groups. This gives them a sense of ownership into the project and they can offer the security team wisdom and counsel in positioning the project to maximize competition and cost savings during negotiations. Together, the security and purchasing teams can better describe the total cost of ownership for a particular product or service because of their separate expertise. The security team knows where full-time administration is required for a product or service and purchasing can describe what that may cost based upon the different purchasing options.
Other areas of a project where this teamwork demonstrates benefit is in evaluating a vendor's propensity for software vulnerabilities and thus it's required patching intervals. In some cases, the security team should also be included in the RFP process for other departments, but not all. The goal is to get everyone thinking more of security during their projects. This becomes a simple leverage of the security group's time and resources.
Ensure that together, the security and purchasing teams develop precise assessment metrics for products and services. Here the purchasing folks can be invaluable due to their exposure to nearly every project in the enterprise. They can share business-based metrics from previous projects. This has an additional benefit in helping to sell senior management on projects because you can demonstrate that a project has been evaluated from both a technical/security perspective as well as a business perspective.
- Assist purchasing during project planning and evaluation by not falling in love with a particular product or service. Specifically, it's important to be careful when speaking with potential vendors. Don't gush all over a product in front of a vendor and then expect purchasing to have an easy time trying to convince them that they are competing with other vendors. Hold your cards close to the vest and always remind vendors that there are other fish in the pond. Even if you know that a vendor choice has already been made, never tip your hand. Give purchasing something to work with. You can also use this ploy in non-security projects that have a security aspect to them. For example, a security scan on a potential vendor's offering may find it lacking. This helps you to not fall in love and gives purchasing another tool to work with.
The combination of sharing needs with purchasing, showing them the results of employees gone bad and making them active partners in your projects will go a long way towards the development of a superb security/purchasing team.
About the author
Tom Bowers, CISSP, PMP, CEH, is a technical editor for Information Securitymagazine.