Ronald Reagan famously quoted an old Russian proverb when dealing with the Soviet Union – “Doveryai, no proveryai,” which translates to “trust, but verify.” As companies grow their third-party supplier ecosystems out into the global cloud, this proverb has become increasingly relevant today.
It’s a problem faced by businesses of all sizes – from the largest Fortune 500 enterprise to two-person shops run out of the garage. The incredible advantage of tapping into a global ecosystem of cloud-driven providers lets small businesses gain access to services and brainpower that would not otherwise be possible. Access to suppliers in the cloud gives small businesses the possibility of competing on more of an equal playing field with larger competitors without having to build up a large in-house staff, and it gives large enterprises the ability to “go lean” in a business climate where cost advantage is everything.
But the result is a dependence on suppliers we have never met face-to-face. By itself, this is not an issue – but according to a report from Softtek titled “The State of Digital Third-Party Risk 2016: In Partners we Trust,” over half of organizations surveyed have not made any allocation for a third party risk management system. Suppose for example, you run a small business. Instead of hiring an accountant in-house, you use a service. You don’t run your own data center, and instead simply rely on the cloud-based Amazon Web Services. You hire graphic artists and marketing professionals through a cloud-based platform like Upwork. Even though you may have only four or five employees, there may be hundreds of people who indirectly work for you. Most of them can probably be trusted, but as any risk manager will tell you, “trust” should never be the foundation of any procurement model.
The companies that provide the infrastructure through which you connect to cloud suppliers – which are cloud suppliers themselves – do typically have rigorous security protocols in place just as a matter of market necessity. Cloud data centers tend to be exponentially more secure than in-house equivalents, and the platforms used to connect you with third party suppliers like Upwork similarly have checks and balances, and protocols in place to ensure that transactions go as smoothly as possible. But is it enough?
According to the Softtek report, while companies rely on third parties they do business with to implement best practices in their security, an analysis showed that in 2015, third parties failed more controls than in the previous year, with over half of the third parties failing to pass key controls.
The alternative would be reverting back to the old absolute control model of in-housing everything, which is inherently inefficient and costly, and ultimately, impractical. Newer lean models require building up an ecosystem of third party suppliers, but for it to be effective, that network of suppliers should be seen as an extension of the enterprise, and given as much scrutiny as would be placed were the service to be coming from an internal department.