Managing Third-Party Risks to Prevent BreachesHCL CISO Anuj Tewari on Improving Vendor Management
To help prevent breaches caused by third parties, organizations need to improve their vendor risk evaluation methods, carefully assessing their business partners' processes and risk mitigation methods, says Anuj Tewari, CISO of HCL Technologies, an IT services firm.
Tewari will be a speaker at Information Security Media Group's Fraud and Breach Prevention Summit in Mumbai on Dec. 6-7.
"Most breaches in the past five to 10 years were essentially breaches which happened because of a material weakness beyond the core business, Tewari says in an interview with ISMG. "So when we are onboarding a vendor, it's important to understand how much access [to data] we give to them."
Vendor management is becoming more challenging as more data moves to the cloud, he adds.
Because companies have so many third-party contracts, they should focus on rigorously auditing the risks of those vendors who will have the most access to data, Tewari stresses. "It's important to save ourselves from audit fatigue," he says. "There are thousands of vendors that CISOs deal with. How much can we spend on assessing them? Do we apply all controls to each one of them?"
In this interview (see audio link below the image), Tewari speaks about:
- The key steps of onboarding a vendor;
- Other key third-party management issues;
- How to handle the termination of a vendor relationship;
- Security trends to look for in 2018.
Prior to joining HCL Technologies, Tewari was head of the cybersecurity practice for Asia, Middle East and Africa at CSC. Before that, he worked at IBM, GE, Convergys and other companies in various capacities.