Treacherous 12 Part 9: Insufficient Due Diligence

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> Treacherous 12, number 9, insufficient due diligence.
00:00
In this lesson, we want to talk about the risk of
00:00
insufficient due diligence, its impact,
00:00
and techniques and processes to
00:00
reduce the risk of insufficient due diligence.
00:00
What exactly is insufficient due diligence?
00:00
Due diligence is really the process of evaluating
00:00
any inherent risks or
00:00
shortcomings associated with vendors,
00:00
partners, technology that you purchase, etc.
00:00
The due diligence process is
00:00
highly important because if you
00:00
don't appropriately evaluate your requirements,
00:00
the security and compliance
00:00
risks associated with vendors,
00:00
it opens up your company to all problems in the cloud.
00:00
One, if you don't appropriately
00:00
vet your cloud services provider,
00:00
you may get locked in and
00:00
receiving services at a higher cost
00:00
than you could elsewhere.
00:00
That's just an inappropriate use of business funds.
00:00
Or the provider may not be able to
00:00
perform up to the standards
00:00
that you need for your organization.
00:00
The other thing is if you weren't doing
00:00
appropriate due diligence for where
00:00
a cloud provider is located,
00:00
the locations of its data centers,
00:00
they could be in countries with
00:00
different laws that don't
00:00
meet your compliance obligations.
00:00
This could result in compliance failures,
00:00
which could mean regulatory penalties
00:00
or lawsuits from your customers.
00:00
It could open you up to also
00:00
other security risks and
00:00
more vulnerabilities if the provider
00:00
isn't really meeting
00:00
their own security and compliance obligations
00:00
to maintain their cloud infrastructure and data centers.
00:00
The same is true of any vendor you're using in the cloud.
00:00
Now, how do you protect
00:00
your organization around the risk
00:00
of insufficient due diligence?
00:00
Really, it's about defining your due diligence process,
00:00
what are your regulatory requirements?
00:00
What are your business requirements?
00:00
What are the security requirements that
00:00
underlie supporting those business requirements?
00:00
Now, doing the reflection on
00:00
what your business really needs to be
00:00
evaluating when it comes to risks,
00:00
in the due diligence process is the easy part.
00:00
Implementing sufficient due diligence is the hard part.
00:00
There's always a desire in
00:00
business to move quickly to make a decision,
00:00
to find vendors and solutions and implement them.
00:00
It can feel difficult
00:00
or a bit of an obstruction sometimes to say,
00:00
wait, we want to make sure we
00:00
fulfill our due diligence obligations,
00:00
we want to make sure that we're addressing
00:00
all possible risks to the organization,
00:00
and you should do this really by
00:00
building in an effective checklist,
00:00
building in consensus around
00:00
what is the due diligence process,
00:00
and ensure that there are ramifications for individuals
00:00
or groups that do not adhere
00:00
to sufficient due diligence process.
00:00
You really have to make sure there are
00:00
effective controls in place for once a contract
00:00
is signed by legal that funds are not sent to
00:00
the vendor until due diligence is
00:00
properly conducted and documented.
00:00
You really should see due diligence as a way to
00:00
slow down so that you can go faster,
00:00
so that your organization can apply
00:00
its resources in the cloud,
00:00
get what they really want and want to pay for,
00:00
and do so in a secure manner that
00:00
reduce the cost associated with
00:00
risks incurred by choosing
00:00
the wrong vendor in the future.
00:00
This is reflective moment. What is
00:00
your due diligence process?
00:00
If you ever purchased something
00:00
or considered getting proposals from a vendor,
00:00
you must have something familiar with
00:00
the organization's due diligence process and if not,
00:00
perhaps you should look into how do we evaluate and vet
00:00
the risks associated with vendors that are in the cloud.
00:00
Then what mechanisms are
00:00
in place to enforce appropriate due diligence?
00:00
This is very important.
00:00
There's a psychological bias to try to
00:00
move quickly to make a purchase,
00:00
and this does depend on your company's culture.
00:00
However, as a security professional,
00:00
you should think about what
00:00
checks are we putting in place to curb
00:00
this desire to move forward with
00:00
the vendor without really evaluating all the risks?
00:00
How do we make sure that we are
00:00
really doing what's appropriate for
00:00
our organization and potentially our shareholders
00:00
to ensure that we've addressed and
00:00
identified all compliance and
00:00
security related risks with
00:00
a vendor before moving forward.
00:00
In summary, we talked about the risks of
00:00
insufficient due diligence in the cloud,
00:00
we talked about the impact for your organization,
00:00
which can be many and multifaceted.
00:00
Then we talked about methods to
00:00
address the risks of insufficient due diligence,
00:00
which is really defining your due diligence process,
00:00
ensuring there are appropriate checks in place so that
00:00
the process is done in a very comprehensive manner
00:00
because ultimately it's going to save
00:00
your organization money and costs
00:00
associated with risks and
00:00
decreased performance in the future.
00:00
I'll see you in the next lesson.
Up Next