Metrics2Trust SuppliersStarted in December 2020
Almost every organisation uses third parties (suppliers) that provide services and products, ranging from cleaning companies to providers of cloud-based IT services. Dependence on these suppliers has increased in recent years.
The ultimate security level of an organisation and its services depends in part on the security level of the services a supplier provides to them and the security level of that supplier itself.
That is why it is very important to have a good understanding of the security level of all suppliers. Security ratings are already used to classify suppliers, but there are different methods and no standardisation. The multiplicity of suppliers, with a lot of different services, makes this is a difficult process.
The starting point of this project is a research what metrics are available and how they can be used in a standardized way to understand (changes in) the level of trust in third parties (suppliers). Where trust is both related to the security of the services a supplier provides and the security level of suppliers themselves.
Activities in Explore phase: in this phase the project team explored what internal and external metrics are available in current processes and on different security controls, how the concept trust can be modeled and how available metrics can be combined on a standardized (potentially automated) and reusable way to indicate (changes in) the level of trust.
Conclusion at the end of the Explore phase: the key finding is that there are numerous metrics with an abundance of relevant features. The key outcome is that the (conceptual) model on trust already added value during the explore phase, when incorporating it into day to day activities. The key result is that the model can ‘demystify’ the current measuring and processing of metrics, increasing re-usability and enabling automation’. The results of the Explore phase on a numerous existing metrics and a (conceptual) model will be explained in an article. Updates on publication will follow in the end of this year.
In the current Proof of Concept phase, the team aims to build an interactive dashboard where current features of metrics on specific control domains (for instance patch management) can be classified, processed and transformed to indicate (change in) the level of trust related to a supplier.
This project is part of the trend
Growing dependency on third parties
Organizations are working together with and utilize products from software vendors and equipment vendors. We also see an increase in outsourcing of IT to, e.g., cloud-based services. This causes an increase in dependency on third parties. Vendor lock-in is one of the possible consequences. Furthermore the overall security of an organization becomes dependent on the quality of security in the products and services of third parties.