Watch our latest fireside chat with Doug Cahill: Cybersecurity Integrations: The ROI Black Hole

Third-Party Vendor Risk of Outsourcing Integrations

A developer writes code on a laptop in front of multiple monitors in an office setting.

Cybersecurity vendors occupy a unique contractual and operational space within customers’ environments. Customers have higher expectations around security vendors’ ability to understand the digital threat landscape, which translates into higher expectations for how vendors will comply with contractual security and operational requirements. 

As a security vendor, your third-party risk management (TPRM) strategy becomes increasingly complex as you develop an integration strategy that delivers the interoperability customers desire. Many security vendors opt to outsource API development, allowing their internal programmers to concentrate on enhancing the product’s core capabilities. However, outsourcing not only comes with hidden costs related to developing and maintaining these integrations, but the process also impacts your TPRM and other contractual requirements. 

Security vendors must consider how outsourcing API development affects their security, which in turn impacts their customers’ security. Additionally, they need to consider how outsourcing potentially impacts other contractual obligations. To maintain a cost-effective integration strategy that achieves business objectives while living up to the contract’s terms and conditions, security vendors should consider using a cybersecurity-focused Unified API or Integration Platform as a Service (IPaaS). 

What Are Some Common Clauses in Security Vendor Contracts?

When developing your integration strategy, consider how outsourcing API development will impact your existing customer contracts. Your contract typically includes a vendor risk management (VRM) requirement, but you may need to consider additional contract clauses, like service level agreements (SLAs).

Use of Subcontractors

In some cases, your customer may reserve the right to approve subcontractors who perform services under the contract. If you’re outsourcing the development of a custom API, the customer may require you to notify them so they can engage in their own due diligence. 

Subcontracts

Your contract may require that you incorporate the contract’s cybersecurity requirements into any contracts you have with outsourced talent. At the enterprise level, you can often access corporate cybersecurity compliance documentation. However, suppose you’re working with smaller development firms or individual developers. In that case, you might find that managing their adherence to these requirements requires more resources, especially if they have no external audit reports that document their security posture. 

Audit

In response to your customers’ TPRM requirements, you will likely need to agree to allowing them to audit you and any sub-vendors. For example, they may require you to provide reasonable and timely annual access to your contractors’:

  • Facilities
  • Installations
  • Operations
  • Documentation
  • Databases
  • IT systems and devices
  • Personnel involved in performing the contract

Fundamentally, your customer contracts will define how you write contracts for outsourcing your API development. Your contract with the subcontracted developers will likely include clauses allowing you to do these things as well. When building out your integration strategy, you should consider how you plan to handle:

  • Assessing developers and their security processes. 
  • Documenting your due diligence. 
  • Managing their access to your resources. 
  • Requesting security documentation. 

Documentation Requirements

When you deliver hardware, software, or services, your contract may stipulate that you provide documentation about functions, ports, protocols, and services, including:

  • Administration documentation that details how the customers’ internal teams can secure the technology. 
  • User documentation that details how to use the technologies and the customers’ responsibilities. 

When you outsource the API development, you may need to ensure that your subcontractor provides and maintains the appropriate documentation so that you can comply with your contractual obligations.

Service Availability

Most contracts will establish hosting and uptime targets that include a maximum allowed downtime. For example, some contracts might require greater than or equal to 99% uptime. Your integrations are part of your product and services which means that they, too, may need to meet these same uptime requirements. 

When you outsource your APIs’ development and maintenance, you may still need to supply the resources necessary to monitor the integration’s availability and work with the contractors to fix any issues within the boundaries of these shared contractual requirements. 

Support Availability

Similar to service availability, many contracts include help desk availability clauses. Your internal support team knows how to help customers troubleshoot and fix issues with your product. 

However, when you outsource the development and maintenance of an integration, you may end up relying on a contractor’s support team and their ability to respond to customer needs regarding issues with the API. 

Benefits of Using a Cybersecurity-Focused, Unified API for Your Integration Strategy

While your contracts may not contain all of these clauses, you should consider how working with a third party developer impacts your ability to meet your obligations. While working with contractors alleviates financial burdens and free up internal team members, the process can create other issues that may not be as obvious. 

Enterprise Level Security Attestation

When you work with an IPaaS that provides a Unified API, your vendor will have the same security attestations that you incorporate for your customers. For example, a platform that provides a Unified API will have completed independent third-party security audits so it can provide you with attestations, like a SOC2 report or a General Data Protection Regulation (GDPR) Data Privacy Agreement (DPA)

A cybersecurity-focused integration platform will understand the unique challenges that you face. The data that security APIs transmit is often different from the data that traditional business APIs transmit. For example, a cybersecurity-focused integration platform’s security audits will review its ability to protect data like:

  • Personally Identifiable Information (PII)
  • Payment card information
  • IP addresses
  • Host names
  • User credentials

By providing an integration platform’s audit documentation, you streamlines processes related to contractual obligations like:

  • Approving subcontractors: Customers have the information necessary to approve your use of the platform. 
  • Customer audit requirements: Customers may not need to engage in their own independent audits of the platform, improving their experience with your product.  
  • Third-party risk management: Customers have proof that you engage in due diligence to manage your own vendor risk. 

Integration Documentation

Working with an integration platform enables you to have continuously updated documentation. A Unified API means that the platform builds and maintains integrations across a category of technologies. For example, a cybersecurity-focused IPaaS would create a single API for each of the security technologies like:

  • Security event management
  • Ticketing and notification
  • Vulnerability management
  • Data Storage
  • Identity management
  • Endpoint security
  • Network security
  • Cloud security 
  • Asset management
  • Email security

Since you can provide your customers with a “one click” integration capability, they worry less about documentation. Additionally, by consolidating various tools into a limited number of APIs, the integration platform can more efficiently update documentation, helping you meet your contractual obligations. 

Service and Support Availability

By working with an integration platform, you transfer risks around uptime and support. Since the integration platform’s only responsibility is building and maintaining the Unified APIs, it allocates more resources to ensuring their health than your internal team could. Further, by focusing on categories of security solutions, the integration platform streamlines its API health monitoring, which improves overall availability. 

From the support services perspective, using the integration platform enables your help desk to respond to customer issues quickly and efficiently. Your support team only needs to work with the integration platform or the internal person assigned to it, unlike trying to contact the original third-party developer or identify an internal developer who understands one of several hundred APIs that various contractors developed. 

https://www.synqly.com

Richard brings over 15 years of experience in cybersecurity product strategy, threat intelligence, and marketing to Synqly. Drawing on his extensive background, he writes about market trends, enterprise attack surfaces, and the value of seamless security ecosystems. At Synqly, Richard is focused on eliminating "integration debt" and helping vendors effectively communicate the power of a faster, more secure approach to integrations.