For vendors or suppliers or other companies providing outsourced services or components or supplies and for the customers of such services or suppliers, 2016 means an increased demand on your limited time and manpower to respond to or review risk information security assessments, host or perform audits, and generally oversee or be subject to oversight.
Companies often hire third parties to perform a range of on-site or remote services, from landscaping, security, plant care or cleaning, HR screening, onboarding payroll or benefits, product development, to office, treasury or IT services. In addition, many companies have component or material suppliers with whom they share proprietary information and trade secrets. Leveraging the talent and resources of an experienced niche developer, vendor or supplier can often be the key to a company’s success. And while working with or as vendor or supplier frequently reduces a company’s costs and provides it flexibility, these relationships can also create information security risks for both parties, including the risk that a data security incident involving the vendor or its employees will result in a loss or theft of the company’s critical valuable information or adversely affect deadlines, deliveries or lead times. These delays or losses could put company in breach of its contracts with its customers, or at odds with its shareholders or regulators.
The growing realization that “outsourcing the project or the function does not mean outsourcing the risk” has prompted companies (as the customer) to increasingly focus on assessing, minimizing and managing these information security risks. The focus begins with information security assessments when initially selecting a vendor or supplier, and continues throughout the relationship through audits, site visits and periodic review. We expect to see an even heightened focus on information security risks in 2016. For the company as customer, this focus is usually just an extension of a company’s larger quality control or risk management group. For many niche vendors and suppliers, where people wear multiple hats, this focus can be an unexpected unbudgeted cost. Additionally, without some planning, an outsourcing organization working with multiple accounts can find itself in constant audit mode in response to these requirements.
On the flip side, while there are costs and resources required, strengthening or adopting better information security practices often comes with several benefits. Vendors and suppliers often reduce their risk of a data security incident or breach by making some changes as part of a customer’s risk assessment process or as part of a third party certification process such as ISO 27001 which is designed to help organizations keep information assets secure. Vendors and suppliers who have taken these steps can market their efforts and certifications in RFP responses and proposals, which may help them obtain even more business. Additionally, vendors and suppliers who play a particularly strategic role in a customer’s services or product development, and/or who share their own proprietary information with a customer also may want to know more about the customer’s information security practices.
As there is little chance the increased focus on information security will go away anytime soon, taking the time early in 2016 to strategize about how to better respond to the increasing focus on information security risks will undoubtedly benefit vendors, suppliers and their customers.