Do You Trust Your Vendor?
One of the things that I get to do in my new job with VMC is find out what people's pain points are and as I was doing research yesterday on vendors, what has been traditionally outsourced, and who has written authoritatively on it some interesting trends show up in the list.
Traditionally companies have outsourced:
Log monitoring and Tier 1 SOC/NOC operations
If we look at the trust involved in each of these, the idea of "partner" comes to mind. If you are going to outsource the traditional items, then really what you are doing is hiring a partner, someone who is responsible for bits of the business, and each group, vendor and business need to agree on SLA's, management, notification, and above all, trust.
Software implementation and programming
Systems integration and design
Would you trust your vendor not to cover up a mistake, let alone would the vendor trust the company not to totally go drama queen and spin out of control if a mistake is made. Realistically, mistakes are going to happen, how mature the relationship on each side of the partnership is will tell just how badly everything will spin out of control. We also need to ask how bad was the mistake, was it little with no damage, or did it expose the entire DMZ when there are known vulnerabilities in that network segment?
While the contract can specify fines, penalties, actions needed on both sides of the vendor/company relationship, as well as damage control when needed. The real issues are from the vendor side, how much can I trust the company to let me know what is going on, for example a new system coming on line, or a change to the IDS signatures that are going to look like a mushroom cloud of evil when implemented. On one network, a windows network, someone in the company had enabled every single rule on all the IDS systems, and the poor monitoring folks thought the whole network was going to come down around them and did escalation up to the CIO, waking them up at 2AM thinking that the network was under a major attack. When all it was really was a new IDS rules person who enabled every single rule in the IDS system rather than really understanding what those rules did.
On the flip side of that, a contractor was found not to be escalating important data to the client, only to end up splashed across the news papers for a major data breach, that was actually watched by the outsource company, with triggers going back weeks that something evil was happening on the network.
While most of this can be covered via contract, and some by common sense (if in doubt, call) the other common issue was escalation, who to call, and then who to call if the first person was not available? This is something that the vendor and company need to work out up front. As well, have either a person on site, or available to be on site to verify what is happening. The escalation path should be Vendor Tier 1, Vendor Tier 2, Company Tier 1 (notification), Vendor Tier 3, Company Tier 2, Company Tier 3 then triage. Nevertheless, few think of how the process should happen (and even the one above might not work in all situations, some companies want to be notified for everything, even if it means false positives).
Overall, the trust that needs to be between the vendor and the company needs to be built and established over time. As well, that trust needs to be extended to everyone who on is both sides of the outsourcing fence. People come and go, and everyone has to be given the benefit of the doubt when dealing with new people on the job.
The question of "how much do you trust your vendor" should apply equally to "how much do you trust your partners", and that relationship firmly developed from the start. While it might sound very dull to set up escalation paths, contact lists, plans, procedures, backups, disaster recovery, and a whole host of other issues from the onset. Having the outsource contract firmly spelled out, with measurable metrics to see if everyone is getting what they want is really important to observe. This kind of detail is what will help establish trust from the start, and answer the question "how much do we trust each other".
View All Articles by Dan Morrill
Our Daily Email of Breaking eBusiness News
About the Author:
Dan Morrill has been in the information security field for 18 years, both
civilian and military, and is currently working on his Doctor of Management.
Dan shares his insights on the important security issues of today through
his blog, Managing
Intellectual Property & IT Security, and is an active participant in the
ITtoolbox blogging community.
WebProNews RSS Feed
More Expert Articles Articles