A Marker of Trust: Demonstrating Cybersecurity Integrity to Customers, Authorities and Critical Infrastructure

This audio was created using Microsoft Azure Speech Services

There has been a massive scale of digitalization across the world, which has led to a rise in cybercrimes like ransomware, cryptocrime, phishing, and other cyberattacks. Cyberthreats are one of the biggest risks facing businesses today, with the projected global cost of cybercrime expected to reach an annual rate of $8 trillion in 2023 and rise to $10.5 trillion by 2025.

Companies have extensive cybersecurity portfolios to battle the increase in attacks, with everything from basic tools, such as antivirus, e-mail and endpoint security solutions, to more complex technology including zero-trust initiatives. An overlooked area, however, is a cybersecurity verification tool for third parties and other partners who provide solutions that include information technology (IT) or operational technology (OT) connectivity—but that seems to be changing.

McKinsey & Company touched on this topic in an article a couple of years ago and noted that CIOs and CISOs “must now secure their own IT environments while also accounting for the security of the third-party elements of those environments.” McKinsey goes on to say that “a radical new approach is needed, one that focuses on robust communication and the complete alignment of third-party cyber protection with the requirements and standards of the enterprise.”

Trust in Enterprise Relationships Must Be Earned, Based upon Evidence, and Validated

In enterprise partnerships, the alignment that McKinsey mentions must be built upon trust. A growing trend we see in cybersecurity is to investigate the cybersecurity trustworthiness of enterprise partners.  

As an example, when companies become customers for our connected solutions, they trust us to protect them from cyberattacks as we implement highly sophisticated systems that are critical to their business success. But in today’s world, with cyberattacks happening more rapidly and on grander scales, we and organizations like us must earn that trust by proving and validating our cybersecurity postures.

Customer Requests: How Do You Protect Us When We Do Business With You?

To prove the reliability and trustworthiness of partners and third parties, customers are now requesting information on cybersecurity postures through various inquiry processes and questionnaires. The requests might be part of a sales or tendering process, or contract renewal. They also might be part of a customer’s yearly security assessments of their partners’ products or services, or arise out of a concern regarding a global cyber incident, such as the recent Log4Shell zero-day vulnerability.

Typical requests ask for information on a partner’s cybersecurity, data privacy and product security initiatives. They may also include inquiries into compliance with regional cyber security and data privacy laws such as the European Union’s General Data Protection Regulation (GDPR). The inquiries might also focus on security frameworks like the National Institute for Standards and Technology (NIST) Cybersecurity Framework or industrial cybersecurity standards such as the IEC 62443 series from the International Society of Automation (ISA).

Because cybersecurity maturity varies significantly from country to country, there is a diverse range of questions a partner responds to when it conducts business internationally. Sometimes inquiries may only have 10 straightforward questions on a partner’s cyber posture, policies and certifications while other requests can be more complex with up to 300 questions. These more in-depth ones ask for information on specific topics such as vulnerability management, data protection, business continuity, and incident response.

A Properly Managed Process Is the First Assurance of Trust

Customer requests for information are becoming more frequent—and they are becoming an essential part of a partner’s business. In fact, if proper trustworthiness isn’t proven or validated, it could have a major impact on a partner’s relationship with its customers.

To respond to these cyber-related requests, it is advisable for partners to develop a process that shows clear evidence of their cybersecurity diligence and compliance. The process should provide responses in an efficient, seamless and timely manner, with standardized responses via a centrally managed organization with experts that are aligned with the partner’s security posture. Such a service can be designed and created to primarily help build a stronger relationship with the partner’s customers, but it also helps reduce legal and financial risk through open, consistent and clear communication.  

As a suggestion, the process may look something like this, depending on the size of the company:

1. A field sales or tendering team within the third party or partner receives a questionnaire from a requestor, then submits the request via an internal portal to be handled.
2. The close collaboration and coordination between technical and regional experts; the support of an answer management tool and official posture asset are instrumental in the supply of the answer.
3. The final comprehensive response, when validated can be sent back to the one who triggered the case, who then shares it with the requestor.

All along the way, the document must be archived and tracked to be compliance/audit-ready.

Moving Beyond Trust

The process suggested here may provide companies with an inspiring approach to providing customers with a proven and tested methodology for demonstrating trust and reliability. As this process continually evolves, this model can be scaled up to become a multi-domain service for customer questionnaires, not only on cybersecurity but on topics related to trust and reliability like sustainability, ethics and compliance.