Chapter 01
A serious relationship
Security is a serious business and the closer the commercial relationship, the more serious it gets. So, while effective for evaluating a would-be vendor or supplier, the default tools and processes for assessing third-party cyber risk are probably insufficient when identifying the right business for delivering something as all-encompassing as your customer experience.
Clearly, ensuring an outsourcer is aligned with the most stringent of universally recognized security standards such as ISO 27001, SOC Type 1 and 2, and HITRUST will be part of any initial assessments and for shortlisting purposes. However, proof of compliance, even if backed by a traditional risk assessment questionnaire, is not proof that an organization has what it takes to be a trusted partner.
And “partner” is the key word, because CX delivery success hinges on building and maintaining a tier-one business relationship. You are entrusting another entity to embody and eventually elevate your brand with existing and potential customers. This, in turn, means taking a more detailed, multifaceted assessment approach; one that looks beyond acronyms or the speed at which questionnaires and forms can be filled in. Every potential partner is a potential attack vector, and every reciprocal business relationship runs the risk of increasing your attack surface.
Alphabet soup
From ISO to SOC and NIST, there are a host of letters and acronyms that allude to protecting information and implementing security. But what do they mean and what difference does it make if your potential partner complies with them or not?
CX delivery success hinges on building and maintaining a tier-one business relationship. You are entrusting another entity to embody and eventually elevate your brand with existing and potential customers.
The right references
Your assessment and selection process should include speaking, in confidence, with a selection of any potential partner’s existing clients about their direct experiences regarding its security performance.
As well as insights into day-to-day operations and how well they align with security standards, interviews with existing clients will highlight a potential partner’s communication capabilities — a critical yet often overlooked aspect of security. Communication means more than monitoring and sharing metrics. It’s about direct, timely and unambiguous engagement with all stakeholders on elements of the partnership from security audits and risk reviews to incident response and how change requests have been received and facilitated.
Credibility in context
You should also engage a security ratings firm to provide independent validation of that organization’s security posture. Just as with a credit rating, a security score will place that organization’s performance in context. You can see how it performs relative to other businesses with a comparable size and footprint and, crucially, is another means of benchmarking it against its direct competitors, whether or not those competitors are also on your shortlist.
Action list
Clearly define the depth of the required partner relationship before initiating due diligence.
Confirm compliance with key security frameworks like ISO 27001 and NIST.
Request confidential client references to evaluate security performance.
Check the organization’s security rankings from reputable firms.
Ensure the organization can deliver compliant services or solutions that meet your specific needs and operate in your required territories.