I’ve spent almost 30 years in the IT security space and half of that engaged with Third-Party Cyber Risk Management, and I frequently get asked, “I know I need to have a third-party cyber risk management program, but I don’t know where to start.” Having built several repeatable programs, I want to share some of the steps and tips on getting started building an effective program.
Know your vendor pool – If you are not 100% confident that your organization has on-boarded, vetted and has absolute accountability for every single third-party you are using, I recommend a three-pronged approach: First, reach out to Accounts Payable and get a 1-year list of all out-going payments. Ours started with a 10,000-line spreadsheet, but within a day or two was carved down to a manageable 400 payee listing once individuals, subscriptions, and single-payment services were removed. Second, the department that manages legal or contracts should be compared against your list. Finally, with these steps completed it is time to reach out to department and unit leads and relationship managers to confidently finalize your list.
A little risk here, a little risk there – Develop a brief but succinct scoping questionnaire set that can be completed by the owner of the relationship that focuses on the risk of the relationship. Consider limited response questions (yes/no, multiple choice, etc) to reduce the possible responses and avoid receiving essays. Questions I have seen used in the past:
- What is the classification of the data to be shared? i.e. Confidential, Public, Sensitive, etc
- Will the vendor process, store or transmit regulated Data? i.e. NPI, PII, PHI, EU Privacy, etc
- Where will the service of the vendor be performed? i.e. on-premises, at vendor location, remote, combination of multiple locations, etc
- What is the concentration risk of using this third-party? i.e. no viable alternatives and activity cannot be relocated within a reasonable timeframe or cost, limited viable alternatives and activity could be relocated within a reasonable timeframe or cost, many viable alternatives and could be relocated at an acceptable timeframe or cost, etc
- What is the level of regulatory compliance risk associated with the product or service activity? i.e. High risk – failure to follow prescribed directives may result in substantial fines, restrictions and/or major concerns by regulators, Medium risk – some risk of fines, restrictions and/or concerns by regulators, Low risk – possibility of loss from non-compliance is remote
- What is the potential vendor non-performance impact on the Supplier’s reputation? High risk – Reputation risk or significant monetary loss would result from substantial non-performance, Medium risk – Some reputation risk or monetary loss would result from non-performance, Low risk – Little to no reputation risk or monetary loss would result from non-performance, etc
Responding to questions such as these will allow you to develop a risk profile so the organization can be assessed with the appropriate due diligence for the risk they present.
Not all vendors are created equal – Organizations often use a scale between three and seven category levels. I have often found that too many categories over-complicate the assessment process and too few have the potential for leaving gaps. A ‘balanced’ scale is somewhere in the magnitude of: Critical, High, Medium, Low and No Security Review Necessary. These qualifiers tell you the depth of due diligence that should be conducted based on the associated risk of the third-party. Critical relationships should be reviewed with the most granularity to ensure the organization protects the data to the same level you protect the data, as the risk is reduced the due diligence should be lessened.
Not all tools are created equal – Creating your own assessment tools and questionnaires is reminiscent of re-inventing the wheel. There are a multitude of tools, like the CyberGRX Exchange, and vendors that exist to provide the data needed to make an educated and reasonable assessment of risk based on information gained from industry metrics, control effectiveness, risk identification, proprietary analytics, open sources, dark net, etc. Tools should be evaluated and chosen to provide a unique perspective, enhance and support your program, not to run it for you. Tools are invaluable at correlating massive amounts of data and helping the program leader identify potential gaps, evaluate process recommendations and isolate remediation requirements to boost your third-party’s security posture.
The initial steps toward establishing an effective Third-Party Cyber Risk Management Program requires effective knowledge of your vendor pool, establishing a risk profile, qualifying the due diligence granularity of the third party and embracing tools that will help you to evaluate data to meet your organizations risk appetite.
SENIOR SECURITY RISK ANALYST