A matter of trust: how to live in harmony with your software suppliers
Yuliya Shlychkova, Head of Public Affairs
Today’s digital products and services are synonyms for mobility, efficiency, and convenience. In all spheres of our life, the adoption of ICT solutions continues to grow, with technologies irrevocably changing the corporate sector, public services, manufacturing, and the industry to name a few. The use of ICT helped automate business processes and improve their overall efficiency, erasing memories of the way these processes were handled before. But does the shift to digital technology always deliver more advantages? And are there precedents showing that the offline experience can overtake its digital equivalents? This seems to be the case when we speak about the mechanisms used for establishing digital trust.
A recent survey by McKinsey found that digital trust practices, meaning confidence in an organization’s ability to provide data protection, effective cybersecurity, visible data management practices, and trustworthiness, are almost as important as the product’s price or quality. In addition, every second B2B purchaser declared that they’ve pulled their business from a company that violated digital trust.
But how can a business ensure it is working with a reliable vendor?
One of the basic guidelines is to check the company is following applicable standards or examine the certifications it obtained to verify the trustworthiness of its products. It is also possible to gather some open-source intelligence to check if the company has previously been subject to data breaches or if any critical vulnerabilities have been found in its products.
Then, while moving forward with discussions, request detailed documentation on the software product from a vendor or ask it to fill in an “application security questionnaire” to find out which processes and tools the vendor employs to ensure information security. As part of an established practice, questionnaires such as these constitute a formalized approach, that provides only a limited view into the real situation.
Achieving digital trust in software and cybersecurity solutions specifically is, however, still challenging due to the fact that these products are unique in their nature and are characterized by high dynamism, with their work strongly relying on constantly released updates. Thus, confidence in the security of a particular product becomes obsolete once a new update appears. In addition, the absence of clear and robust legal frameworks, to guide organizations — from SMEs to large corporations — in ascertaining the reliability of their software supplier creates an even bigger challenge to organizations when ensuring the resilience of ICT supply chains.
At Kaspersky, to provide our customers with security assurances of the company’s products and services, we launched our Global Transparency Initiative (GTI), where we introduced a number of practical tools to validate and verify the reliability of our solutions. By launching the GTI, we aimed to turn the digital trust building from a bureaucratic procedure into hands-on and interactive experience for our customers. For example, one of central developments of the company’s GTI was the creation of a network of Transparency Centers, where the company’s stakeholders can check our source code, software releases and threat detection rules as well as receive all the required information about our data management practices among many other things.
The company’s first Transparency Center was opened in 2018 in Zurich. Since then, we have opened eight additional trust-building facilities in Europe, Asia-Pacific, and North and Latin America. This means we have a broader infrastructure for digital trust building than any other cybersecurity vendor. Four years later, in September 2022, we introduced a new type of Transparency Centers. Why the new format? It offers an exclusive overview of the company’s data management practices. It has become the most popular service among the visitors of these facilities since their launch.
We have discovered there is more demand for detailed information about data management and product architecture than for reviews of our source code, for example. This is due to the scarcity of software security assessment skills found among businesses today. In addition, the constantly changing environment dominated by rampant digitalization has pushed organizations to be more selective in choosing software providers. Therefore, businesses pay more attention to how the vendor protects company data in order to mitigate risks in the channels of distribution, with supply chain resilience recognized as “extremely important” by over 80% of respondents.
Thus, to qualify as a trusted partner, software providers have to be ready to answer any questions about their processes and practices and be open in tackling the queries from their customers.
With that in mind, Kaspersky is promoting its Global Transparency Initiative and expanding its network of Transparency Centers, introducing a new type of center that opened its doors in European cities — in Utrecht, the Netherlands, and Rome, Italy. They welcome the company’s partners and customers to explain to them in a completely transparent and clear manner what we distribute, how our products work and how we fight cybercrime.
These facilities serve as full-fledged information centers for the company’s stakeholders to visit. There they can learn all about the company’s security policies and practices, and get results of regular third-party security policy audits. For instance, visitors can get acquainted with the results of the SOC 2 audit by a Big Four auditor at Transparency Centers, or learn the outcome of ISO/IEC 27001 certification, proving the effectiveness of Kaspersky’s information security management system.
In addition, at Transparency Centers, our partners can meet with the Kaspersky experts ready to share the company’s own experience in managing software supply chain risks and choosing effective mechanisms and instruments to check the reliability of ICT solutions — like applicable standards, the certifications used to test the company’s products and internal systems along with best practices for evaluating software security.
Today’s ever-evolving cybersecurity and supply chain risks highlight the need to foster an open dialogue between software providers and their customers. They also emphasize the importance of creating functional frameworks where organizations can exchange experiences in accessing the security of ICT solutions and share the best practices to support each other in resisting digital security risks and facing them as a cohesive unit.
If you’d like to learn more about what our Transparency Centers offer or request a visit, please contact TransparencyCenter@kaspersky.com or following this link https://www.kaspersky.com/transparency-center-offices.