Back to List

Mitigating Security Challenges in the Professional Services Supply Chain

Brian Morgan Brian Morgan  |  
Jun 02, 2020
In this blog, Brian Morgan, Director of Security at Skyline Technologies, explores how to protect your business from cybersecurity threats in the professional services supply chain. Click here to view the full webinar.
Cybersecurity threats are a mounting concern for the professional services supply chain in which businesses engage suppliers (like us) because businesses often entrust assets like data and system credentials to suppliers. In return, a supplier may provide (for example) the analysis of a system having performance problems coupled with possible improvements, a software solution that handles sensitive data, or a software solution that automates a key business process. Suppliers are handling valuable business assets, are often small organizations, and have fewer resources (in terms of people and money dedicated to cybersecurity). Since businesses have little control over a supplier’s security practices, there is reason for concern.
A 2018 Opus & Ponemon Institute study found that 61% of U.S. respondents experienced a data breach caused by one of their vendors or third parties. One of the most well-publicized supply chain breaches was the attack on Target Department Stores. Most people don't know that the attack originated with a supplier of Target: an HVAC vendor. The attackers gained access to the HVAC vendor's systems, found credentials that allowed them into Target’s system, and the rest is history. Another incident occurred in 2017 and involved a supplier of Scottrade Bank that had uploaded their information, including social security numbers, to an unsecured server.

Protecting Your Supply Chain

Experts have provided a great deal of advice on how a business can protect its supply chain. Often this advice centers around the development of a third-party management program that includes safeguards such as contractual protections and risk management. I agree with this advice.
The language within contracts – such as MSAs and NDAs – set expectations for how a business and its supplier will work together to ensure security and privacy. This language often defines business assets such as intellectual property, data, and systems that require protection, and then sets protection requirements that suppliers must meet.  
Contract language, however, is often overly general given its need to support many types of suppliers and situations without needing a rewrite. For example, a contract may include a statement requiring the supplier to, “properly protect any provided confidential information,” with no further clauses adding details on acceptable approaches. In other words, a contract sets high-level security expectations for the supplier, but it does not provide prescriptive guidance that a supplier can use to properly secure business assets.
Business that are ahead of the curve not only set security expectations, but they actively assess their risk exposure. They track each supplier and conduct cybersecurity risk assessments that investigate the supplier’s general ability to protect business assets during service delivery. The assessments often focus on a supplier’s cybersecurity program, its policies and procedures, the systems it will use to process a business’s data, whether security training is regularly delivered to associates, and so on. If the business evaluates its risk exposure as acceptable, then the supplier is allowed to proceed with service delivery.
In other words, after successful completion of the assessment, responsibility for security is turned over to the supplier who, operating in compliance with their cybersecurity program, delivers services using supplier resources and assets. I refer to this as “total outsourcing.”

Security Challenges with Total Outsourcing

Over the years I have assisted our legal team with the review of many contracts, have taken part in many risk assessments, and have been engaged with many clients in the delivery of services and solutions. What I have found is that the professional services supply chain can challenge the risk management techniques used in support of total outsourcing.
For example, in support of a professional services engagement, businesses often provide suppliers access to their production systems to facilitate analysis or to secure development environments to create software solutions, AI models, and data warehouses. Business personnel – such as subject matter experts, system admins, and security experts – may collaborate closely with supplier scrum masters, developers, and architects. Additionally, a supplier may be involved in many different engagements within a business, involving different business units, systems, technologies, procedures, and approaches. 
Bottom-line, professional services can better be described as “integrated outsourcing.” The issue is that total outsourced risk management techniques do not often address engagement-level risk and, because of this, fail to provide the prescriptive security guidance needed by the joint business-supplier delivery team. 

Collaborative Engagement-Level Risk Management

Skyline uses collaborative engagement-level risk management to protect any Confidential Client Information (CCI) handled during service delivery. It is “collaborative” in that both our client (i.e., the business) and Skyline Technologies (i.e., the supplier) are involved in the risk management effort. It operates at the “engagement-level” since we apply the following risk management process to every client engagement:
Actor/s Responsibility
  1. Review a risk assessment questionnaire to prepare for the risk assessment
Skyline and Client
  1. Conduct a collaborative risk assessment to identify engagement-level risk
  1. Formulate a risk mitigation plan (1-2 pages)
Skyline and Client
  1. Review, approve, and execute the risk mitigation plan
Skyline and Client
  1. Update the risk mitigation plan as appropriate throughout the engagement

When conducting an engagement-level risk assessment, we commonly focus on the following areas:
  • Information Handled – We identify the CCI that will be handled by the delivery team during the engagement. This is important since it will guide the safeguards adopted by the team. 
  • Legislation and Regulations – We identify any existing legislation or regulations (e.g., HIPAA, GDPR, CCPA, etc.) that guide the protection of CCI. This is important because it will guide the safeguards adopted by the team. 
  • The Security Training Plan – We identify the security training that Skyline team members will complete prior to service delivery. In addition to providing basic security awareness training, we also require training on collaborative engagement-level risk management, training on the risk mitigation plan itself, and high-level training on applicable regulations and legislation. If requested by our client, we will also have Skyline team members sit through our client’s security training.
  • How We Will Work Together – We identify how Skyline and our client will work together when CCI is involved. For example, all team members may be asked to work within our client’s secure development environment. We also discuss tools that will be used by Skyline and our client to manage the engagement and to collaborate during delivery as these tools may transmit, store, or process content that includes CCI. Finally, we discuss any client policies and procedures that Skyline team members will be required to comply with during delivery.
  • What Occurs When a Member Joins/Leaves the Team – We discuss the steps that need to be taken from a security perspective when a person joins or leaves the delivery team. For example, when joining the team, new Skyline personnel will be required to complete all engagement-specific security training. Likewise, when leaving a team, Skyline may notify our client so that user accounts can be removed, CCI properly cleaned up, etc.
  • How We Will Maintain the Plan – We identify how Skyline and our client will make changes to the risk mitigation plan. Normally, newly identified risks are mitigated when they occur, are formally discussed and added to the risk mitigation plan during the sprint review, and then shared with all Skyline and client delivery team members. 
  • The Source of Security Answers – We identify who Skyline and client delivery team members will go to for answers to their security questions or for help in addressing security issues.
Keep in mind that collaborative engagement-level risk management does not replace the risk management techniques used with “total outsourcing.” Instead, it builds upon them by adding additional risk clarity at the engagement-level.

What is the Required Time Investment?

Sustainability and effectiveness are critically dependent upon the risk management process being lightweight and fast. We have achieved this by focusing risk assessment efforts on those areas of delivery where risk is likely to be high. Furthermore, we have reduced mitigation time by establishing a catalog of pre-existing security safeguards that can be quickly applied to mitigate many risks.
The risk management process for a new client, or for a new business unit with an existing client, usually requires an investment of about an hour for both Skyline and our clients. With each engagement, however, the process becomes faster due to the reuse of content from previously constructed risk mitigation plans. It is not uncommon to see the process be completed in under 30 minutes for a subsequent engagement involving the same client, business unit, and technologies.

Does it Work?

There have been several situations where either Skyline or a client delivery team member has caught a security vulnerability or issue simply because they've been trained to look for them as part of the risk mitigation plan. Moreover, it is common for new security risks to be identified and addressed before they become an issue.
The biggest win, however, is a lower level of risk because of an improved relationship with our clients from a security perspective. Because of our program, we are talking about security, being transparent, and collaborating. Whenever these three consistently occur, I've found that the odds of security success improves. If you would like to increase your odds of security success, contact us.


Love our Blogs?

Sign up to get notified of new Skyline posts.


Related Content

Blog Article
“Bye, Bye, Bye” to AES in ECB Mode
Tony RopsonTony Ropson  |  
May 05, 2020
Early last month, a group operating out of the University of Toronto released a report highlighting some of the security flaws found in the popular online meeting app Zoom. Their report highlighted a few concerning things. However, the one area I want to highlight is the type of encryption...
Blog Article
Website Security: 3 Steps to Protect Your Users’ Data from Attack
Nick KwiecienNick Kwiecien  |  
Jul 23, 2019
As consumers increasingly care about keeping their information safe and secure, we developers need to make security our mission. Especially in today’s world where there seems to be a new content management system out every five minutes, it’s important to make sure your site and its...
Blog Article
10 Actions Mid-Sized Businesses Should Take Because of GDPR and CCPA
Jeremiah RobinsonJeremiah Robinson  |  
Apr 11, 2019
If you own a business or manage an IT or marketing department with an online presence or a mailing list, the new privacy laws passed in Europe and California will almost certainly affect you, and sooner than you may think. Following is a brief summary of our understanding of the laws, along...
Blog Article
Best Practices for Online Security to Keep Yourself Secure
John PtacekJohn Ptacek  |  
Jan 05, 2017
With the news full of journalist, politicians, celebrities and other people having their email and phone accounts hacked, it is a constant reminder that we should be vigilant about protecting ourselves online.   While no one can ensure you are 100% safe from online hacking, we have a bunch...
Blog Article
​Viewing Application Roles from Azure Active Directory
Steven NelsonSteven Nelson  |  
Jun 07, 2016
If you have used the Azure Active Directory service in your application, then you have probably realized that it lacks the ability to see application roles assigned to users.  At the present time, the Azure Active Directory service must be configured using the classic Azure portal (https...