Technology vendors everywhere want to serve big Wall Street banks, so when one of those banks talks about risks they see in their software supply chain, compliance and audit professionals should listen – which brings us to an extraordinary open letter that JPMorgan Chase recently published.
The letter, penned by JPMorgan CISO Patrick Opet and posted on the bank’s website in late April, warns that the current approach for software development and delivery is getting too complicated, too quickly. That ends up giving hackers more potential entry points into corporations’ IT systems, and overall “creates a substantial vulnerability that is weakening the global economic system.”
Opet raises concerns that CISOs, compliance officers, and internal auditors should all take seriously. The implications for your internal controls, policies, and compliance procedures, however, will vary depending on whether you’re a tech vendor courting big corporations or a big corporation dealing with tech vendors.
First, where are these risks coming from?
Opet’s fundamental concern is that Software-as-a-Service (SaaS), where a corporation essentially “rents” software from a vendor that develops and maintains the application – has mushroomed into the primary way most businesses buy and use software. Large corporations might now rely on hundreds of SaaS providers, each one embedded into the corporation’s IT infrastructure and operations.
On one hand, SaaS is great. It’s low cost to the corporations using it. Vendors can scale their services up or down quickly to meet customer needs, and roll out new features quickly.
At the same time, the risks from using many SaaS vendors all at once – which is typically how corporations use them – can add up. SaaS providers might rush new features to market without thorough testing. Numerous SaaS vendors all hooked into your corporate IT system at the same time can create new security holes or “system failure risks” that catch IT departments by surprise. And there’s always the risk that your SaaS provider uses other SaaS providers, and so forth and so on, with risks accumulating all the way down.
So, while SaaS is here to stay, businesses everywhere need to retool their policies, procedures, and controls to be sure that security is woven into daily operations. As Opet wrote:
“We must establish new security principles and implement robust controls that enable the swift adoption of cloud services while protecting customers from their providers’ vulnerabilities.”
‘Security by Design’ for SaaS vendors
For technology vendors, this means embracing “security by design” – the idea that security considerations should be built into all phases of your product development lifecycle, rather than security being “bolted on” at the end of that process. (NIST even has a security by design framework your IT development teams can follow.)
That’s a sensible idea, but challenging to implement in practice. Above all it means senior management must make a commitment to security, holding up security as a core value on par with honesty or integrity. Employees throughout the enterprise need to see that if the choice is slowing down to get security right or rushing new features out the door, the right choice is to favor security.
From that tone at the top, more practical steps flow. Senior executives need to assure that risk assessment, testing, and documentation processes exist and work as intended. Software development teams need to do better at security testing and documentation. SaaS sales teams need to embrace “secure by default” product configurations and transparency with customers about the controls that SaaS vendors use to manage risk on a daily basis.
For corporations, a better approach to risk
Corporations have their own duties here too. Opet is right that the complexity of SaaS software is overwhelming cybersecurity and privacy teams – so regardless of how much SaaS vendors do or don’t improve their security game, corporate CISOs and audit teams need to do more.
For starters, audit teams can test business continuity and disaster recovery plans to determine whether those plans are sufficient. For example, broker-dealers in the United States are required to have effective business continuity plans (FINRA Rule 4370); the state of New York’s cybersecurity rule also requires regular testing of business continuity plans.
More broadly, a business continuity failure thanks to an unreliable SaaS vendor can lead to financial losses, bad headlines, civil lawsuits, and other headaches. Effective business continuity plans are often a regulatory obligation – but beyond that, they’re just common sense.
Auditors, risk managers, and compliance officers can also strengthen your organization’s third-party risk program. For example, all tech vendors operating in your enterprise should have a “relationship owner” responsible for monitoring that vendor’s performance and risks. (Pro tip: if you’re not sure who’s responsible for a certain SaaS vendor in your IT ecosystem, turn that application off and see which department calls to complain. That’s the relationship owner.)
Compliance, audit, or security teams should also be sure to craft necessary policies about relying on tech vendors. For example, do you have too many business functions relying on one SaaS provider? That could pose concentration risk. Do you require all tech vendors to undergo SOC 2 audits to test their cybersecurity? If not, consider whether you should. Bake those requirements into your procurement policies, so operating units know how much discretion they do or don’t have when bringing tech vendors into your enterprise.
Further into the nuts and bolts, CISOs can test tech vendors for security and privacy risks, or how well new vendors integrate with other vendors your company already uses (including any updates your SaaS vendors push out, a notorious source of security or IT failures).
Marshall your governance and risk management resources
Every business will need to find its own way forward in our more security-centric world – depending on whether you’re a tech vendor or consumer (or both!), your industry and its regulatory burdens, your size, where you do business, and more.
But we can say that strong cybersecurity will depend on (a) effective tools for risk assessment, controls mapping, remediation, policy management, and the like; and (b) a strong “culture of security” fostered by senior management and enforced throughout your enterprise.
That’s true for the biggest banks on Wall Street as well as for everyone else, and that new reality is here to stay.
Looking for more?
NAVEX One solutions are all designed to work together to help your organization navigate the many risk and compliance challenges facing your business. Learn more about NAVEX solutions by clicking the button below.
