Digital Transformation and Vendor Due Diligence
Digital transformation is upon us and here to stay. In fact, experts argue that Digital Transformation isn’t a one-hit-wonder. Instead, it’s an ongoing and iterative process of constant improvement. Regardless of your specific industry or function within your organization, it is highly likely that your team increasingly relies on third-party software and the benefits of cloud solutions to get the job done. As a leader and decision-maker, you’re entrusted to protect the data your team manages no matter the location of that data. No news there, but keep in mind that the cloud is merely a different company’s server, and while software users have expectations of cybersecurity, they rarely, if ever, stop to think about how it all works and to what degree is the data secure. What if that solution was built and managed by one person in a residential garage with no locks on the exterior? Is that sufficient data protection? For most, the answer is a resounding, no. Of course, that scenario is an exaggeration, but you don’t know unless you ask the right questions and validate the responses to those questions. This blog post isn’t a digital transformation guide, but rather a word of caution on security as you navigate a crowded field of cloud solutions.
Before the purchase or renewal of any cloud subscription, pause and think about the sensitivity of the data involved. If that data should be protected, then you should know the vendor’s current security posture and be supplied with data to support the vendor’s claims. When was the last time your company reviewed vendor contracts for data protection, liabilities, and cyber insurance? Asking a few questions around these issues will help you to make an educated decision about trusting that vendor to protect your organization’s data. Unfortunately, vendors are not likely to proactively disclose information that could jeopardize closing a new deal with your company, so it’s important to initiate that exchange of information and establish reasonable certainty of sufficient data protection.
At ThoughtTrace, security is paramount, and we embody the concept of Secure by Design in everything we do. Effective cybersecurity leads to secure code and secure infrastructure, which in turn enables us to develop effective, scalable, and resilient applications for our customers. We stand by that and believe it’s essential to earning customer trust.
Secure By Design – People First
At ThoughtTrace we believe Secure by Design starts with people, not technology. For each ThoughtTrace new hire, an extensive vetting process is performed to ensure we attract and retain the highest caliber professionals who meet technical, ethical, and cultural standards. This people-first mindset goes well beyond the onboarding process and continues with rigorous cybersecurity training delivered through multiple mediums and at recurring and random intervals. ThoughtTrace cybersecurity training includes phishing simulations, incident response exercises, organizational policies, data protection, and more. Our training goes well beyond the average annual cybersecurity awareness slide deck that is designed to simply satisfy compliance. Your organization and its sensitive data deserve more than minimum standards and checked boxes and you should demand higher standards from all of your vendors.
Ask Your Vendor # 1: Who is responsible for managing the cybersecurity program? Please explain your cybersecurity awareness and training program demonstrating how your organization ensures personnel are vetted and trained to mitigate the risk of general and role-specific cybersecurity threats.
Building Vendor Trust
The rate of web application adoption across the modern business landscape is phenomenal. Business leaders are now empowered to use proven cloud-based technology solutions that solve critical business needs at a low cost and with rapid adoption. ThoughtTrace shares that sentiment, but our leadership team is cognizant of the risk to sensitive data. Therefore, we only purchase and deploy technology solutions in accordance with our Data Governance and Risk Management policies. After all, technology can do more harm than good without effective governance. So, how can you gauge cybersecurity effectiveness for your vendors? ThoughtTrace believes the most effective way to assess our security posture and communicate this to our customers is through our annual SOC 2 Type 2 audit which is performed by an independent third party. As always, the current version is available upon request from our customers and potential customers.
Ask Your Vendor # 2: What administrative and technical controls does your organization use for the following cybersecurity domains and how are those controls independently validated for effectiveness:
- Personnel Security
- Application Security
- Data Protection
- Endpoint Security
- Network Security
- Identity and Access Management
- Business Continuity
- Incident Response
ThoughtTrace Platform Security Features
Customer-facing security features are essential to supporting our customers’ diverse set of security requirements such as role-based access control, password management, Single Sign-On (SSO), and more.
- Labels: Labels are applied to documents and serve as the “lock” that requires the appropriate key (Access Group) in order to see and interact with the document. Only one label can be applied to a document.
- Access Groups: ThoughtTrace users are placed into Access Groups that define what labels the included members can access and in what ways they can interact with those labeled documents.
Ask Your Vendor # 3: Does your product support Single Sign-On (SSO)? What product security features are configurable by administrators within the application?
When was the last time your company reviewed vendor contracts for data protection, liabilities, and cyber insurance? Asking a few questions around these issues will help you to make an educated decision about trusting that vendor to protect your organization’s data.
ThoughtTrace can help you find these answers extremely quickly! Request a demonstration of this use case.