- In adjusting to remote work, risks in third-party service delivery partners increased in an unforeseen way, said Andrew Stanley, Mars, Incorporated CISO, on an online panel hosted by MIT Sloan CIO Digital Learning Series last week.
- Third-party partners in "low-cost countries where the last-mile delivery infrastructure is based on working in taxing exclusion zones" posed a particular challenge for Mars. Employees in these regions were predominantly "desktop-only" users in an office, otherwise they would face local taxing authorities which are currently exempt for companies relying on uncapitalized communities.
- "There was just this massive scramble to get new technology in people's hands," said Stanley, which introduces risk in terms of how a device is set up, how individuals are using the devices, and who else in their home would have access to the device.
Some third parties were never ready for remote work. "I thought we were doing pretty well with our third-party program, but we didn't anticipate such a massive shift with a complete change in the way that technology would be delivered," said Stanley.
About eight in 10 "expert" companies in cybersecurity ensure their third parties comply with their security standards, according to a Hiscox Cyber Readiness survey of more than 5,500 security professionals. Hiscox scored companies' security expertise based on their ranking on strategy oversight and resourcing, and technology and process. Only 40% of "novices" do the same vetting of their third parties.
This year Hiscox labeled 18% of companies as experts, compared to 10% in 2019.
Last year, companies spent about $1.5 million on average in security, but increased spend to $2.1 million in 2020, with enterprises leading. Part of those costs are dedicated to increasing employee awareness programs, according to Hiscox.
During the initial six weeks of the work-from-home mandates, Mars took a cautious approach to running security exercises with non-technical employees. Since then, Mars re-engaged with employees as the company adjusts to long-term remote work, and overall change in its markets.
CEOs understand digital risk, but they might lack insight into associated risk. Because every employees' take on the role of security to some extent, Stanley reframes "security in the language of the business" by asking:
- How is security protecting Mars' margin? Is security allowing for revenue?
- Where can it allow Mars access to new markets?
- Where is it helping Mars maintain position in the markets, in terms of business to business or direct to consumer?
Engaging with customers on "microtransactions" is a "huge change" for the company and it has to be secure, said Stanley. "The only way it's going to be secure is if I frame it as a business problem. I can't frame it constantly as a technology problem."
Correction: This article has been updated to reflect Andrew Stanley is the CISO of Mars, Incorporated.