IDG Contributor Network: Third-party vendors -- your weakest link?
Some of you may remember the TV game show The Weakest Link, during which a somewhat caustic Anne Robinson would declare one of the nine contestants the weakest link, and summarily kick them off the program.
Now, imagine Anne taking a job as an information security consultant, reviewing security and risk for a medium-sized corporation. I suspect that as she got to the portion of the review involving third-party suppliers, she would quickly yell out "You are the weakest link. Goodbye."
I have worked with a variety of organizations that, as mandated by HIPAA, PCI, or other standards, must assess the risks of their third-party providers. I have written or reviewed more of these than I could count off hand. As such, I can confirm that they are often the easiest approach to breaching the security of a company. I have reviewed a number of providers with reasonable security and risk management programs of their own, but more often I have found their programs to be weak, or even laughable.
To read this article in full or to leave a comment, please click here