Do you trust your counterparty? What about ALL THE COUNTERPARTIES?
Full disclosure, I bought my first car from a huckster used car salesman in the Bronx NY. His smile was perfect, his form straight out of central casting. The car? A “lightly used” Subaru Forrester. Really, what could I have to worry about? Subarus are known to be reliable. 12,000 miles from one owner hardly seemed used at all. It drove like a dream, and it looked great.
As I pulled out of the lot, I was sure we made one of those rare “win-win” deals we have all read about. Then a few days later… I came out of my house to see the right rear fender had simply fallen off. WHAT!?!? I loaded the fender into the trunk and drove back to the “dealership”. Promising me they would fix this and “had no idea what could have happened”, I left the car and took a cab home. And a cab to work. And a cab to the grocery store. And put a lot of miles on my sneakers.
The fix was completed a few days later and again, I was ready to roll. Twice more the same event happened – come out to the driveway and see the fender laying on the ground next to the car. As I stood in the service center opining to the clerk about how much of an inconvenience and VERY REAL COST this was to me, the innocent person across the counter said, “well I mean what do you expect when you buy a car that has been in an accident like this one?”
An accident? Really? Why didn’t this come up on the reports I ran? Why didn’t the salesman say anything when I was writing a check for a full-priced auto?
Every software, hardware, operational technology, device, gadget, doohickey salesman etc. can be considered the same as my huckster used car salesman in Throgs Neck, New York, but when it comes to cyber security, the problem may be much worse. I am convinced the salesman knew what he was selling me that March day way back when. I am not sure your vendors truly know what lurks in the code of their solutions. I am sure that no matter how honorable your vendors may be when it comes to fixing latent errors or sloppy code, there is a very real cost to you.
How do you manage it? Well, legal protections are a start, but do you really want to end up there? Trusting people to do the right thing when they discover a vulnerability is a good step, but you need to know the other person who is inking a contract, and this can prove problematic when incentives are at play.
The best method, I have found anyway, is to really understand what it costs you if a system or component goes bad. Can you live without a car for a few days? Yes, but not without cost. Can you live without those sensors for a few days? Maybe, but at what cost? At least once a year (best practice is quarterly), sit down with your business leaders and really think through what systems are critical and what systems, if down, would be mere annoyance. From there, building your defenses, digging into the vendors capabilities and commitments, and making your fall-back plans becomes simpler.
Start with the drivers of value in your business. You have profit centers, and you have costs. On a managerial accounting basis, where are you investing in growth? Where are you maintaining a margin? What systems are your employees logging into day in and day out? Doing this analysis upfront can lead to a productive session with your business leaders and determine what vendors you should be more cautious of and which ones to allow a bit more risk.
Trust is key. I dealt with one untrustworthy character. Now imagine how many you may have dealt with in the course of digitising your operations…