A recent Bitdefender article said one in ten firms will lose $10MM from cyberattack and, as a result, greater investment in cybersecurity is being made by companies. That’s great! BUT cybersecurity firms, by the nature of the service they provide, may represent a greater security risk than ‘normal’ vendors. Here’s a story to illustrate what I mean.
Last year, we were doing several deals as part of a large cybersecurity push for one of our global consultancy Clients. Several of these deals involved providing the various cybersecurity vendors access to data, email, or our user base. Sure, the services were intended to shore up and track access to the data, to filter emails for malicious content, and to train our users in how to better avoid phishing scams; but the obvious irony is that providing that access to the cybersecurity vendors represented a vulnerability in itself. When we brought this up to our Client and the vendors, it was laughed off as a triviality. After all, who is more interested in your security than a cybersecurity vendor?
In our experience, cybersecurity deals seem to be highly visible and often associated with more importance or criticality than similarly-sized non-security-related deals. This means the business people are often pushing to get them done quickly, often banking on the idea that “they’re security firms, of course they’re secure…it’s what they do.” However, when we asked the vendors to see their standard agreements, those told a very different story… namely that these cybersecurity vendors were either no more interested or willing to take on the burden of data protection, or they were just as unsophisticated in how to contract for proper data protection as ‘normal’ vendors.
Of the 3 projects I worked on as part of this push, one of them was easily in the top 5 most difficult negotiations I’ve ever been involved in. It took 8 months of hard work almost exclusively because the vendor did not want to bear any financial risk of data loss or exposure, even though the exact purpose of their tool was to—you guessed it—limit data loss and exposure. We ended up not doing one of the other deals because the vendor not only couldn’t make any promises with respect to data protection, but once we obtained their contract documentation, we discovered that one of their main products required providing the vendor access to EVERY SINGLE EMAIL sent or received by this 200,000+ employee firm. Nothing in the initial proposals from, or discussions with, the vendor clearly articulated how invasive their product was, so the business team didn’t even know.
All this is to say, data risk is kind of the hot potato of the IT industry. Nobody—not even cybersecurity firms—wants to be left with the blame and everyone is trying to protect themselves first. Don’t wrongly assume your cybersecurity vendor understands your data protection requirements, knows how to accommodate them and, most importantly, wants to take responsibility for doing so. Before sharing valuable data with vendors—of any kind—make sure they are prepared to protect your data and accept the risk that comes with doing so.