Join Felicia King in this eye-opening episode of Breakfast Bytes as she unravels the concept of third-party information security risk management. Felicia highlights the growing debates around software as a service (SaaS) platforms and the complexities they entail, raising poignant questions about security, backups, and risk.

Dive deep into the intricacies of backups—from on-premise practices to the vulnerabilities introduced with SaaS. Felicia draws parallels between the supply chain practices of ancient times and the critical information security strategies needed in today's digital landscape.

Through vivid storytelling and expert insights, discover why making informed decisions about SaaS requires more than just evaluating business functionalities—it demands a comprehensive risk management strategy and the right technological expertise. Don't miss this narrative packed with actionable advice for becoming an informed risk decision maker in the world of technology.

 

Quick recap

Felicia discussed the importance of third-party information security risk management in the technology industry, emphasizing the need for comprehensive backup methods and informed decision-making when evaluating software as a service solutions. She highlighted the misconception that Business Continuity and Disaster Recovery is primarily an IT problem, stressing the importance of business processes and human continuity. Felicia emphasized the crucial role of involving a qualified Chief Technology Officer in the evaluation process of software as a service solutions to ensure proper security measures, backup capabilities, and role management are considered before making procurement decisions.

 

Third-Party Information Security Risk Management

Felicia discussed the importance of third-party information security risk management, also known as counterparty risk, in the technology industry. She highlighted that this topic has been underestimated and is becoming increasingly relevant as more legacy applications are being considered for replacement into software as a service (SaaS). Felicia emphasized the need for informed risk decision-making and raised awareness about the nuances of backups, which are crucial for information security risk management. She also mentioned that the approach to backups should be based on the end goal of restoration, and that relying on a single method for backups can be naive.

 

Comprehensive Backup Strategies for Businesses

Felicia discussed the importance of backup methods for businesses, emphasizing the need for a more comprehensive approach than the standard 3-2-1 method. She highlighted the limitations of cloud storage and the need for brick-level backup, which allows for the recovery of individual objects or databases, rather than the entire server. This flexibility is crucial for businesses, especially those with complex systems like enterprise resource planning tools, where rapid and easy recovery from backups is essential for scenario planning and testing.

 

BCDR: Business Processes Over IT

Felicia discussed the misconception that Business Continuity and Disaster Recovery (BCDR) is primarily an IT problem, emphasizing that it is 80% about business processes and human continuity. She highlighted the importance of moving away from legacy apps due to their high maintenance and operational costs. Felicia also pointed out the limitations of on-premise infrastructure in meeting uptime requirements, suggesting that software as a service could be a more viable option. She concluded by stating that most businesses cannot afford the same level of uptime as software as a service, despite what are sometimes higher monthly fees for SaaS.

 

Involving CTO in Software Evaluation

Felicia emphasized the importance of involving a Chief Technology Officer (CTO) in the evaluation process of software as a service solutions. She highlighted that without a CTO, the evaluation process lacks essential technical questions, such as security, access control, integration with onboarding and offboarding processes, and backup and restore capabilities. Felicia stressed that these technical aspects are crucial for a successful procurement and should be evaluated before making a business decision.

 

Involving Right People in Pre-Procurement

Felicia emphasized the importance of involving the right people in the pre-procurement phase of software as a service, such as a qualified CTO, to ensure proper backup and security measures are in place. She used the example of XERO, an accounting platform, and its lack of native backups, requiring an additional third-party add-on, Control C, for backup solutions. Felicia stressed that without a competent CTO, it's impossible to make informed decisions based solely on price quotes from software companies, as additional costs for competen