In Business, Who Can You Trust?
Trust in business used to mean looking a partner in the eye and having confidence in their integrity. The concept of trust has evolved over time as business itself has grown more complex and the interdependence of companies increased. Due diligence on business partners is now the standard practice. But even now, is standard due diligence enough?
When trusting your vendors gets put to the test, the cost could be astronomical. In 2013 and 2014 alone, a data security breach by one of its vendors cost the company in excess of $162M. See TechCrunch. By 2017, this number for the same breach was estimated to be almost $300M. See Target’s 10-K filing for 2016. While the Target breach was massive in scope, affecting around 40M users total with this author included, the lessons learned are applicable to any business. It’s a lesson that’s still being learned daily, as 63% of all security incidents originate from or relate to a business’s third party relationships. See the IAPP.
Your customers trust you to keep their data safe, to act responsibly, and to comply with applicable laws and regulations. To live up to that trust placed in you by your customers, you need equal trust in your partners. Building business trust in today’s complex business environment takes a multi-pronged approach. It requires effort from both your vendors and your internal team.
So, who can you trust?
Knowing who you can trust is a process and unlocking the answer starts with asking the right questions. Specifically, shifting the starting point from “Who can you trust?” to “How can you trust?” The following are some steps to consider when building trust between two organizations.
- Understand the scope of the trust required by your business
No two third-party relationships are exactly alike, so it is important to have a clear understanding of the actual scope of the relationship between your business and each vendor you engage. That scope is usually mapped out during business discussions, but your team needs to go a step further and fully scope out the level of trust required for the relationship to be successful. For instance, banks and credit unions should already be mapping out in detail the scope of the trust required from each of their vendors in order to comply with regulations requiring third party oversight.
When Target contracted with an HVAC vendor and the credentials to their point-of-sale system were compromised by a hacker through that vendor, this was an example of failing to properly scope out the trust aspects of the relationship. Engaging an HVAC vendor should have required running an evaluation of that vendor’s trust capabilities with respect to data access for the point-of-sale system.
So how do you map out the scope of trust? For each substantive function of each service being provided by the vendor, your business needs to determine what level of trust is required to engender confidence that those services will be performed in a way that doesn’t add unnecessary risk to your business. This allows your business to determine what the scope of the access will need to be and equally importantly, what is outsidethe scope of access, which also needs to be accounted for.
2. Align the scope of your business’s needs with the reality of the vendor’s
Understanding what you need from the relationship and the limitations your business needs to put on the trust its requiring is only half of the equation. Now that you know what you need, your business is in an optimal position to communicate those needs clearly to the vendor and to measure those needs against the capabilities of the vendor.
Communication is the first component of alignment, but verification is the rest of that formula for success. Your vendor needs to understand what levels of trust are being requested by your business, it needs to evaluate those needs against its capabilities (whether those are data security, regulatory compliance or corporate requirements), and it needs to be able to verify those capabilities to your team.
Whether you choose to run a manual process involving a checklist of requirements submitted to your vendors via PDF or spreadsheet, or you choose to automate the process with a technology platform, the critical function of this alignment comes in communicating the requirements clearly in a manner that the vendor’s team can understand and evaluate.
Leveraging expertise to help your business no only understand what it needs but to make sure the vendor alsounderstands what your business needs is critical to ensuring that the resulting relationship is one based on genuine trust rather than a false sense of security. This is often a missing component in existing due diligence programs, particularly when businesses have not taken the time to completely evaluate the reality of their needs versus generic requirements promulgated by regulatory bodies or industry trade groups.
3. Don’t let your trust in the vendor go stale
Finally, once you’ve done the hard work to understand what your business needs and to make sure that your vendors also understand and comply with your requirements from a practical perspective, don’t let that trust go stale. You may be able to trust a vendor on day one, but will you feel the same on day 400? Continuous updating and monitoring is the only way to ensure that your requirements continue to be met for the duration of your relationship.
While this may seem onerous, particularly given the rapid and ongoing changes to regulatory requirements as well as industry-standard security, it is vitally important to ensure that you can continue to trust relationship that you spent valuable time qualifying at the outset. Updates must be made internally first and then distributed to the relevant third parties. As technology advances, software companies are looking to ease that burden. Ultimately, however, it is your responsibility to make sure that the trust you place in a vendor continues to be warranted as the relationship progresses.
It’s partly who, but it’s also how
With this process in place, you can stop asking yourself who to trust and give your business the methodology it needs to say, this is how we trust. From there, the decision of who to trust becomes much more clear-cut, and this process positively impacts not only your customers trust in your business, but your confidence with respect to regulators, international relationships, and your insurance providers.