Two terms that are used very often in the field of information security are “Due Diligence” and “Due Care”. The terms can often be confusing. In this post, I will try to explain the difference between them.
Due Diligence: Let’s first tackle due diligence. Due diligence is mostly about gathering information, conducting research, performing investigations, asking the relevant questions etc. In other words, it’s about knowing what you are getting into before you make the final decision. By performing due diligence, you hope to uncover as much relevant information as you can, so there are no surprises down the road later. For example, as an information security officer, you may have to work with various vendors/suppliers/third-parties. Before you formally engage with a potential vendor, you would want to make sure that they have the capability to fulfil all your requirements. How do you do that? You would check multiple things, like:
– their past performance
– their financial viability
– any pending litigations which could impact their ability to provide you services
– confirming whether they have sufficient resources to serve you 24×7, if that’s a requirement
– investigating how easy it would be get out and move to a different vendor, if required
– verifying if they hold relevant certifications like ISO 27001, SOC2 etc. or comply with concerned regulations
– checking how they will keep your company information secure
– identifying what all risks your company is undertaking by engaging with that vendor
– etc.
As you can see, by asking such questions, or by gathering this information, you are trying to make sure that you understand all the potential pitfalls and risks that could come up because of you engaging with the potential vendor. The depth of investigation or inquiries would also depend on the type of potential engagement. If the vendor is going to be dealing with highly sensitive data, then you would want to be more thorough than if the vendor would be dealing only with minimal, publicly accessible data. The result of such investigation could lead you to identify certain red flags which could be big enough for you to explore a different vendor. So, this act of investigation, asking questions, gathering information is called due diligence.
Now, this term – due diligence – is not just an information security specific term. It’s a general term that’s used outside of it as well. It’s mainly about acting responsibly, like a reasonable person would under any given situation. Another example – let’s say you got an employment offer from a company offering you a lucrative salary. Should you join the company just based on the salary? No, right? You’d ideally dig deeper and gather more details, like, what exactly is the work that you’ll be doing, how big is the team, who will you be reporting to, how’s the company culture, would it involve travel (depending on whether you like to travel or not), does it require to relocate, are there training and development opportunities, does it have remote working option, how long is the commute, and so on. So, if you joined the company without gathering all the necessary information and then regretted your decision a week later, that would be an example of lack of due diligence.
So, that’s due diligence for you. Let’s move on to due care.
Due Care: Due care is about doing the right thing. It’s about doing what should be done ideally, so that you can prevent bad things from happening. It’s about taking all the necessary precautions, so you don’t hurt the business or other people you’re dealing with. Let’s say you are accountable for the security of all the endpoints in your organization. As part of due care, you’re supposed to patch them regularly, so the possibility of someone exploiting them is minimized. If you didn’t create any policy stating how quickly any patch needs to be applied post its release and there’s no proper process as well as oversight around it, and later if there’s a vulnerability which you don’t patch for 3 months and it leads to a compromise of your environment, then that’s an example of lack of due care. Not practicing due care could also lead to legal consequences and you/your company could be sued for the damages caused. However, if you did all you reasonably could to avoid a security breach (e.g. by having a policy and process in place, applying patches in time, disabling unnecessary services, removing admin privileges, implementing proper access control etc.) but a breach still happened, then you may not really be held liable for the damages because you practiced due care. So, it’s about taking the right steps, the right actions to avoid or mitigate any potential damages.
Due diligence and due care are different but related concepts and you’ll notice that often, due diligence needs to be performed before you can practice due care. If due care is about doing the right thing, then it makes sense that you first gather necessary information to identify all the areas which need attention, which need care. For example, if you are in charge of managing backups, then part of practicing due care would be making sure that backups are properly stored, testing them periodically, restricting access to only authorized personnel etc. However, before these activities of due care can be performed, you’d want to gather information, like, where are the backups stored currently, in what all locations, in what format, are they tested at all currently, who has access to them, how is it transported, how often is the data backed up, who are the data owners etc. Collecting all this information would be part of due diligence and will help you prepare for the due care activities.
Hope that helps you understand the two terms and the difference between them.