The Price of Risk: How California Weighs Security in IT Procurement

When governments buy IT goods or services, the choice comes down to more than just the price tag. A successful deal hinges on a number of other factors, not the least of which is the risk associated with the vendor and its subcontractors.

State agency and private-sector representatives talked through these considerations during a panel discussion at the California Cybersecurity Education Summit* in Sacramento last week.

Among the more pressing considerations for participants is the handling of organizational data. For the state, the sensitive data being accessed by a vendor could include health, financial or personally identifiable information.

Kory Fesliyan, statewide risk program manager with the California Department of Technology’s (CDT) Office of Information Security, said fully understanding the vulnerabilities and background of a new contractor is critical, especially those located outside of the U.S.

“We also want to know if they've had any recent audits or any assessments, and if they can share any of that information with us, the gaps of that supply chain of that vendor [which] is going to be inherited by our department, or whatever department ends up carrying that service,” Fesliyan said.

The same level of analysis is needed for the departments, he added, saying that the outcomes of recent audits, security assessments, etc., could be key indicators of whether or not they’re ready to take on additional risk with a particular vendor.

“Some of these vendors provide services to multiple state departments, so it's not just a one-to-one relationship. Oftentimes, it's that vendor getting hacked, and then it's impacting maybe 10, 20, 30 different state departments,” Fesliyan said. “So we have to do our due diligence to understand how much risk the state is taking on by not only doing business with vendors, but their offshore resources in particular.”

When evaluating vendors, CDT applies a calculation that includes the potential cost of each exposed data record, the number of records that a particular system has, and other factors to weigh against estimated savings from the vendor in question.

Onboarding and offboarding are other areas where a government organization is likely to focus its attention when working with a new vendor, said Alex Bonnifield, advisory solutions consultant with SailPoint Technologies.

While the state has its own struggles managing access for new and departing employees, departments will not be keen on accepting unnecessary risk in this area from contractors or other third parties, he warned, suggesting regular access reviews.

IT may serve as the custodians of access, but he puts much of the onus on project managers to determine whether the right individuals are accessing systems.

“I think overall, it's applying least privilege, not just across your workforce, but you know, across your contractors or third parties, as well as making sure that they really only have the access they need to do their job that they're contractually signed up to do,” he said.

Having cybersecurity teams engage with other parts of the organization — business, legal, etc. — early in any project is a key driver of success, said Stephen Meyer, senior security consultant with World Wide Tech and former Missouri CISO.

“Security can be kind of the leader of that, right? That, ‘Hey, let's get all these groups together,’ instead of having security just kind of being brought in at the last minute,” he said. ”Have security be the leader in that and say, ‘Hey, I want to help, and I want to be in charge of bringing these teams together so we can make wise and less risky decisions.”

Coming to the cybersecurity team at the 11th hour with a request makes evaluating a new application or tool very difficult, he said, referencing his experience as a state CISO.

California State Teachers’ Retirement System CISO Dylan Pletcher drove home the importance of collaboration between units and governance in the broader procurement process, saying that various stakeholders have to be accountable for their decisions.

“I hate to say the governance word … not a lot of people are a fan of governance, but if it's not done right, if it's not done well, then you're going to fail,” Pletcher said. “So, get that in place — that has to be upfront.”

*The California Cybersecurity Education Summit is hosted by Government Technology, Industry Insider — California's sister publication.