8CIOReview | | DECEMBER - JANUARYIN MY OPINIONTHE CRUCIAL ROLE OF THIRD-PARTY SECURITY IN DIGITAL TRANSFORMATIONBy Luke Raines, IT Risk, and Compliance Manager, Challenger LimitedDigital transformation is synonymous with the use of third parties, and the need for robust security measures across an increasingly interconnected estate is crucial. While partnerships with cloud, software, and external service providers offer numerous advantages, they also introduce potential vulnerabilities. This calls for organizations considering digital transformation to recognize their security posture extends beyond traditional network boundaries. We'll explore key practices in gaining assurance over the security of third parties for digital transformation projects.A Risk Based Security and Resilience EvaluationConsider the importance of the information, or services, being handled by the vendors as part of your digital transformation project. Ask yourself what protections you have in place today for those information or services, and seek to understand if the vendors can at least match them. It may call for some compromise over the design of controls, but exercise caution if it means growth in risk. Get assurance where it matters. While they may have scalable cloud capabilities, it may be continuity and recovery where your focus lands. Match controls to threat scenarios. Consider the risk you're willing to accept.Cloud Shifts ResponsibilitiesThe use of cloud service providers (CSPs) is a common element of digital transformation. While this changes the dynamic of security responsibilities, it never removes it. Software as a Service (SaaS) will have the customer responsible for Identity and Access Management, data classification, and some application security configuration. Platform as a Service (PaaS) also requires the customer consider penetration testing and software development Luke Raines
< Page 7 | Page 9 >