What's Happening?
The California Department of Technology (CDT) is emphasizing the importance of security risk assessment in IT procurement processes. During the California Cybersecurity Education Summit, state agency representatives discussed the critical need to evaluate
vendors and their subcontractors, especially those outside the U.S., for potential vulnerabilities. Kory Fesliyan, CDT's statewide risk program manager, highlighted the importance of understanding a vendor's audit history and security assessments to gauge the risk they pose. The CDT applies a calculation that considers the potential cost of exposed data records and other factors to assess the risk versus savings of engaging with a vendor. Additionally, the onboarding and offboarding processes are scrutinized to ensure that contractors and third parties have only the necessary access to perform their duties.
Why It's Important?
This focus on security in IT procurement is crucial for protecting sensitive data, including health and financial information, from breaches that could affect multiple state departments. By thoroughly assessing vendors, the CDT aims to mitigate risks associated with offshore resources and ensure that the state does not inherit vulnerabilities from its partners. The initiative underscores the importance of cross-team collaboration, with cybersecurity teams leading efforts to integrate business, legal, and other units early in the procurement process. This proactive approach is intended to prevent last-minute security evaluations that could compromise decision-making and increase risk exposure.
What's Next?
The CDT's approach may lead to more stringent security protocols and governance frameworks in IT procurement, potentially influencing other states to adopt similar measures. As cybersecurity teams take a leading role in procurement processes, there may be increased accountability and transparency in vendor relationships. This could result in a shift towards more secure and sustainable partnerships, with a focus on minimizing risk and maximizing data protection.
Beyond the Headlines
The emphasis on security in IT procurement highlights broader ethical considerations regarding data privacy and the responsibility of government agencies to safeguard public information. As technology continues to evolve, the need for robust security measures becomes increasingly critical, potentially driving innovation in cybersecurity solutions and practices.
