Conventional wisdom tells us that the cadence with which we should reassess a vendor’s cyber security posture should be dictated by the amount of exposure it creates. To date, however, the frequency of vendor assessments has been driven more by time elapsed than by risk. A commonly accepted approach has been to reassess high risk vendors annually, medium risk vendors biennially and lower risk vendors triennially or less often, and this approach has served as ongoing monitoring. Given the frequency with which threats arise and evolve, however, I would posit this time-stamped vendor assessment method is dead, or perhaps it should be.
Target has long been our go-to use case for stronger third-party cyber risk programs, but lately we seem to have more third-party breaches than we have time to dissect. Digital ecosystems are growing faster than current assessment methodologies can keep up with and for this reason I present a new definition of ‘ongoing monitoring’ for your consideration. Instead of assessing your vendors on a set time frame, assess them as frequently as needed to keep up with the changing threat levels. For example, a threat could develop over a week or a breach could occur overnight. An annual vendor assessment might not catch these for another 11 months. A dynamic and ongoing approach, however, has a greater a chance of catching these threats as they occur.
Assessment data at the highest risk levels should be as dynamic as is practical. To achieve this, however, vendors must be willing to participate in a paradigm shift to pushing information as opposed to begrudging the request for data. And the requesting customer must be willing to adopt a more streamlined approach to vendor assessments, so their vendors can easily share and update their data. Basically, the market needs a new model that will benefit both sides.
Third Parties tend to look at vendor assessments and right-to-audit clauses as a nuisance to be suffered when conducting business. I agree that the way vendor risk management is typically conducted presents little upside to the vendor. I would go further to say that the current approach provides little upside to the enterprise as well. The ubiquitous yes/no questionnaire is typically not linked back to risk statements that are linked back to attack scenarios e.g. are unique ID’s used to access applications? What does yes or no actually tell me? What happens if unique ID’s are not used? This is a good methodology for complying with regulatory oversight as it shows that you have a repeatable way to come to the same conclusion given the same data set, but doesn’t do much in the way of managing risk or understanding the impact of a ‘no’ answer.
We need to modify vendor assessment protocol in a way that incentivizes both sides to share information on an ongoing basis. Many companies have created compliance web sites whereby they publish their policies, procedures and SOC reports and point their clients to the page. If risk management were a simple pass/fail evaluation, then this method alone would have resolved the duplicitous and inefficient nature of status quo long ago. Bespoke questionnaires in vast spreadsheets still abound. Pass/Fail is still paramount, but I want to see how you answered the exam questions you got wrong. Who knows, maybe you’ll get partial credit. Passing a driver’s exam is the state saying I did well enough but my guardians would likely be interested to know that I knocked over 5 cones trying to parallel park before I take off in their car. In short, we need to see the detail.
An Exchange that features dynamic vendor assessment data gives third parties the opportunity to provide updates in a continuous fashion and would replace this pass/fail approach with much needed detail. It would also alleviate the tedious process of filling in static spreadsheets every year. As for the upstream partner who requested the assessment, they would have visibility into their vendor’s status on remediation projects, upgraded security infrastructure or perhaps even insight into how their vendor’s kill chains will respond to a new threat.
If customers and vendors maintain true ongoing visibility, then the time-stamped method of annual assessments have finally become an activity of the past.
Gary W. Phipps
Senior Director of Solution Engineering