Independent Competence Platform
for Integrated Security in Switzerland.

An often unnoticed risk: Security firms have an average maturity when it comes to their own Governance, Risk and Compliance (GRC).

If you want to evaluate a security service provider/supplier or invest in a security company, you should take a closer look. There are noteworthy aspects to make life easier for customers, buyers, sellers and investors.

In this article I do not want to repeat decades of long practices that apply to vendor evaluation, merger & acquisition projects, participations and purchases. Rather, it is about highlighting some of the points I encounter during my work, points that are sometimes obvious but underestimated anyway. Points that one would not expect in this industry.

When interacting with a security firm, expectations towards secure information processing are normally higher than for other market players. This article isn't about badmouthing an entire industry, my industry by the way. It's about showing where there might be risks and that security companies employ people with all their strengths and weaknesses. Risk Management is about looking at where it hurts.

Do you think now "this guy is paranoid"? Then search the internet and find examples like from Kaspersky, LastPass, BitDefender, Cyberoam etc.

1. Choosing a security provider/supplier
The provider sells you a consultancy, a security service or a product. This does not necessarily mean that the same applies this in the own security organization. In dozens of security projects and audits I have experienced that basic actions like data exchange happened via unsecured paths, eMail, sharing tools, poorly secured storage platforms (sometimes embedded on the provider’s website), etc. often for the sake of time and convenience, and in the end often to make the customer happy. I can tell you from experience that the situation has not improved over the last 15 years.

Information exchanged in security assessments and audits are often highly sensitive. The assessment/audit report is the tip of the iceberg, the big portion is supporting material like strategies, configuration setups, risk assessments, floor plans, scan reports, you name it.

Consider the following:

  • The application of the vendor evolution process is crucial for security firms (consultancy, service and solution provider), but often reduced to a self-declaration
  • Standard certification referenced have often the service or product in scope, not the general organization running it. Certifications are often misused as a marketing instrument, again an aspect that is common for all industries.
  • Can you afford that the individual who works for you as a security consultant has a relevant criminal history? Most of the time we rely blindly on contracts.
  • The security provider has a lot of information about you. This information needs to be processed (stored, transferred and destroyed) and this must happen in a traceable and secure manner.
  • The agglomeration of all client information makes this type of company an interesting source during the reconnaissance phase of attacks.
  • Information exchange including sensitive one is often performed via unsecured eMail
  • Can you afford that the information exchanged about you is disclosed to the public. Any kind of security measure might be breached occasionally e.g. state-of-the-art encryption might be broken in the near future.

Take aways should be:
1. Security providers need special attention, rather more than average
2. Ensure your vendor evaluation process considers “critical vendors” and make sure security firms fall into this category
3. Consider to request criminal records for certain external employees and consultants considering the criticality of the task and environment they are performing.
4. Establish security training and awareness for the purchasing department
5. Be extremely reluctant to be listed as a reference customer by security companies. I mean publicly, on a need-to-know basis the risk is much smaller.
6. Onsite vendor audits for security providers should be mandatory, exceptions need to be justified and documented. Put the most experienced and knowledgable auditors on these audits
7. Remediation actions identified by security vendor audits must be managed seriously
8. The providers have the same percentage of disgruntled employees like normal companies – but these unhappy employees might know more of your risks and weak spots than your own disgruntled employees.

"Exploits in security products make you a simple target if the attacker knows you are using them."

2. Investment, Merger, Take over of a security provider

First Aspect – Reputation
There are two considerations, those of the investor and those of the object of purchase or investment.

Always assume that an investment will be public no matter how large or small the share is. E.g. will your EU or US government clients accept a major or even minor Russian investor?

As a group, assume that the investments of your subsidiary will be associated with you. This means that if a subsidiary buys or invests in a company, the misconduct of this purchased company can fall on your reputation. It does not matter whether the misconduct was intentional or unintentional.

On the opposite side, is it ok for the company to have this investor? You can assess and control the initial investment. If your investor gets bought himself by a "bigger fish", this is out of your control.

So regardless how good you do your initial due diligence, these cases and many other can occur later.

Take aways should be:
1. Check if the visions, values, strategies and cultures match, consider all your Stakeholder Groups in this evaluation
2. Review and update you Merger & Acquisitions questionnaire resp. your due diligence Risk Assessment
3. Ensure recurring Risk Management includes reputation risks of all investments at least every 12 months

Second Aspect – Maturity Level of the Investment Subject
Security Companies are not secure per se! The shoemaker always wears the worst shoes!

This aspect bears a variety of risks, e.g.

  • Data breach exposes client information e.g. audit reports with vulnerabilities
  • Bad media attention
  • Business Risks not managed

The risks and the measures vary for the different maturity levels of the organization.

Is it a startup or a mature organization?

Take aways should be:
1. Consider the organizational maturity, evaluate the governance, processes etc. [Company Level Controls]
2. Evaluate the own security – is or was the organization exposed
3. If a product is provided – evaluate the development process, testing etc.

Third Aspect – Founders and other key personnel
Acquiring or investing in a company often foresees the ongoing employment of the founders, former owners and key personnel.

Founder and other key personnel had the highest freedom to act until now. Suddenly someone else tells them what and eventually how to do it. Ask yourself, what is their motivation to suffer this new situation, money? Money is a bad motivator in the medium and long term.

Consider the following aspects

  • Resistance to the change in ownership can be open or hidden
  • The opinion on the strategy can lead to disagreement (disgruntled employees)
  • Shareholder structure can lead to a pat situation
  • Some clients might have a strong relation the founders, you could lose them if the founder leaves later

Take aways should be:
1. Identify key personnel and evaluate their commitment to continue in changed set up
2. Take an arbitrary decision whether you want to keep founding owners in the company
3. Accompany at least the initial phase after the investment with a professionally led organizational change project
4. Communicate professionally, i.e. with professional support. Target groups oriented, timely and clear.

In summary, it can be said that most of the risks listed above will never occur for most of us, so the likelihood is "low". But as a risk manager you have to ask yourself, are these risks under control. And are these risks included in my recurring considerations. A few small changes to existing processes, such as "higher classification of security providers", extended vendor evaluation can help to further reduce likelihood and the potential impact.

For example, certain roles in HR are defined in such a way that they require a copy of the criminal record of the candidate. An external employee or consultant is often not subject to these requirements.

You need to decide if it's worth the effort given your individual situation.

Security-Finder Schweiz: Newsletter