Third-Party Cyber Risk Management — You’re Probably Doing It All Wrong!

I can hear the clamoring now!

“Wait a minute…We perform annual assessments of all of our critical and required third-parties!”

Hey, at least you’re doing it, that should count for something, right? Maybe. You might be doing more harm than good by providing your executives with a false sense of security.

 

Let’s dig a bit deeper to find out why.

Taking the traditional approach to third-party risk management, you might send out a spreadsheet of questions to your third-parties asking them if they have some set of controls in place. Conversely you might accept one of the industry standard options such as a SOC-2 or the even more rigorous SIG, arguing if they can pass an audit, they should provide a reasonable level of security. What’s the problem you ask?

  1. Custom questionnaires can be effective if your question set is adequate for the risks present in the specific third-party’s operating environment, but they often only cover a subset of controls deemed important at the time the questionnaire was drafted. They are usually not broad enough for an entire third-party ecosystem.
  2. Custom questionnaires place reporting burden on your third-parties and place interpretation, aggregation, analysis, and action burden on yourself.
  3. Industry standard questionnaires are designed as point-in-time compliance checks and are often lagging against the current threat landscape and tend to be overly prescriptive compliance-based efforts.
  4. None enable easy analysis for making risk-based decisions across your entire third-party ecosystem.
  5. These take time and money! Lots of it!

It’s possible the biggest problem is every company is doing this for themselves, in different ways, with different goals. There is no attempt to leverage crowd-sourced activities to reduce cost and resource burdens and increase security as a whole. There is no attempt to leverage the market as a lever to decrease risk for all customers, third-parties, and consumers. Perhaps most importantly, since resources are being expended, executives believe they are minimizing their exposure to third-party risk sufficiently enough to not be the next headline!

But hey, we’re doing what we’re supposed to…right?

 

It’s time to get real about third-party risk management and stop playing the compliance game. 

Third-party risk is YOUR risk! There is no denying if one of your third-parties is used to attack your network, you will not be able to turn to your shareholders or customers and pretend it wasn’t your fault. So, take ownership of this risk.

The steps for managing third-party risk start no differently from any other risk management activity, however, there is additional nuance since the risk is shared and elaborated by your relationship to your third parties.

  1. Plan — Identify your third-parties, understand their operating environments and threats to determine likelihood of an attack, understand the potential impact to your business in the event of a breach, and prioritize your third-parties based on the risk they expose to you.
  2. Assess — Conduct an assessment to determine how well they have implemented controls and the maturity of their security organization.
  3. Mitigate — Prioritize findings from your assessments across all of your third-parties, determine a mitigation strategy for each, and develop a plan of action.
  4. Monitor — Continuously review your third-parties’ threat environments, continuously review your third-parties’ controls implementation, track organizational or ownership changes to your third-parties’, track breach notifications, and follow progress against mitigation activities.

The mechanics of managing third-party risk are not the hard part. What is hard is understanding your risk and taking action to mitigate as much as practical. This is where a tool like CyberGRX can help.

  • Using a tool to automatically correlate a third-party’s industry with real-time threat activity, common attack scenarios, scanning, and your relationship to that specific third-party provides a data-driven approach to prioritization. By eliminating a qualitative approach, you can quickly determine which third-parties pose the greatest risk and prioritize assessments in both order of precedence and depth of controls in a standardized way.
  • Leveraging a risk-assessment-as-a-service reduces the resources required to request, negotiate, track, and receive one-off assessments. This activity is now reduced to using a simple online order form and ordering assessments based on your prioritized list.
  • Leveraging a standardized assessment based on a broad and relevant common controls framework reduces assessment burden and burnout. The assessment questionnaire is the same for every third-party, every customer, and every industry. This allows the results to be shared without requiring tailoring for each individual customer/third-party pair and allows benchmarking across a number of different datasets.
  • Using risk-aware analytics to tie the plan and assess steps together bubbles up the most pressing issues for a customer/third-party relationship. Taking this output can enable quick prioritization of the entire ecosystem of third-party risk and can be used to open communication and collaboration between companies to increase their collective security posture.
  • Using an assessment platform allows companies to edit and update their assessment responses whenever they need with changes shared in real time with their customers.
  • Leveraging the data feeds in the platform, companies can track trends in threat activity in the relevant industries to themselves and their third-party ecosystem.

Arguably, the largest benefit of faster, cheaper, more comparable third-party risk assessments is the ability to leverage the economic market to increase the security posture of entire industry segments. Commoditizing the data in such a way enables companies to easily assess and compare results of many more companies than they were capable of in the past. They can make more informed decisions to maintain a relationship with a third-party or seek out more secure companies based on their own individual risk tolerance.

Move beyond compliance and take control of your third-party risk management.

 

PETER PRIZIO

DIRECTOR OF PRODUCT

 

Leave a Reply