Identifying and engaging with the right partners is essential to the success of most businesses. However, along with the benefits, every third party also can bring challenges and introduce new risks.
Before onboarding a new third party to your vendor ecosystem, there are many factors to consider– the product, the technology, the integration with your systems, and of course, the inherent risk of the new vendor. Security assessments and risk management should be core components of third-party due diligence and the onboarding process.
Regulatory Compliance Is Just a Baseline
Many organizations are subject to regulatory compliance responsibilities, and third-party partnerships can impact your ability to maintain compliance. If data entrusted to your organization is protected by regulations, it must be appropriately managed and secured regardless of where it is processed or stored.
However, a security and due diligence policy built around regulatory compliance is not enough to manage cybersecurity risk. Some ways that compliance-focused security falls short include:
- Minimum Standards: Regulatory requirements describe the minimum security precautions that an organization must take to avoid negligence and legal liability. Protecting against real cyber risk requires additional defenses beyond those specified by regulations.
- Outdated Requirements: The cybersecurity threat landscape changes rapidly, while regulations update more slowly. Regulations often lag behind the state of the art in cyberattacks.
- One Size Fits All Recommendations: Cybersecurity regulations apply to all covered entities, which can include a wide range of organizations. Policies and controls that work for one organization may leave significant security gaps for another.
- Result Focus: Cybersecurity regulations often are designed to describe the desired result, not to describe an effective and scalable security architecture. A security architecture built to meet these requirements will be cobbled together, not integrated and effective.
Regulatory compliance should be a starting point for a cybersecurity program, not the final objective. As the cyber threat landscape and your corporate risk evolve, so should your risk management strategy. This includes considering the risks posed by new products, employees, initiatives, and vendors. All of these risks need to be evaluated and incorporated into your corporate risk management strategy.
How to Conduct A Security Assessment on Third-Party Providers
Evaluating the risks posed by a third party without a formal security assessment is difficult. Many different factors impact third-party cybersecurity risk, including the people, products, technology, and processes that they have in place to properly secure both themselves and the sensitive data and access that you will share as part of your collaboration. Performing a risk analysis before onboarding is essential to evaluating risk and developing strategies and contractual terms for managing them.
A preliminary security assessment or questionnaire is a great starting point for third-party due diligence. For example, asking the 12+ questions included in the recent White House memorandum on cybersecurity might be enough in some cases. In others, you might need extremely detailed answers to a much longer list of questions.
In your third-party due diligence, consider the risk posed by a supplier of an important service for your organization and your cloud service provider. A cyberattack against an important supplier could cause disruptions to your operations. However, a cybersecurity incident at your cloud service provider can cause operational disruptions and pose the risk that sensitive data — customer data, intellectual property, etc. — may be exposed to cybercriminals. Understanding your specific relationship with the third party and the risk exposure that exists due to this relationship is essential to determining your overall risk posture.
A Point-in-Time Security Assessment Is Just a Starting Point
A cybersecurity questionnaire or security assessment provides a useful snapshot of the risks associated with that party, but things change. In addition to having the right answers today, a third-party partner also needs to have the people, solutions, processes, and security mindset required to address unforeseen issues in the future. Some key steps to ensure ongoing security beyond that initial security assessment include:
- Contractual Obligations: A vendor may pass a security review during onboarding, but security programs and standards can slip. Your contract should include commitments and service level agreements (SLAs) that ensure that a vendor maintains security standards for the life of the agreement.
- Continuous Monitoring: Security threats are constantly evolving, and continuous monitoring is essential to keep abreast of the changes. A shared responsibility for continuous monitoring should be one of the requirements included in the contract.
- Compliance Management: Your organization should be compliant with regulations and be ready to face an audit at any time, not just at renewal time. These obligations should be understood by vendors as well, and contracts should include language regarding regulatory compliance and the right to audit.
- Data Use Restrictions: Many regulations, such as the General Data Protection Regulation (GDPR), place limits on the collection, use, and distribution of data subjects’ personal data. Compliance with these requirements should be maintained both internally and externally via internal processes and contractual terms with third-party providers.
Defining the right contractual terms is important, but it’s just a starting point. You should never rely on your third-party providers to ensure your security and regulatory compliance. Ongoing monitoring and regular audits can help to identify and respond to potential issues.
The Shared Security Model
One of the biggest contributors to third-party cybersecurity risk is the belief that security is the other person’s problem. This is especially prevalent in the cloud when organizations move their data to a cloud service provider (AWS, Azure, GCP, etc.) and believe that their security is handled.
This misconception is the cause of the vast majority of security incidents. The major cloud providers have robust security and do a great job of fulfilling their security responsibilities. However, they are not fully responsible for security in the cloud. Cloud customers have security responsibilities as well, and client failures and security gaps are the cause of most cloud security incidents.
Just because you are using a trusted third-party provider, you cannot abdicate the responsibility for the security of your data and systems. Cloud security providers lay out the breakdown of responsibilities clearly in their shared responsibility models, but the same concept applies to any scenario where your organization is placing trust in a third party.
You’re responsible for your own security and for ensuring that third parties meet their security obligations. Trust, but verify.
The Future of Third-party Risk Management
Third-party risk management (TPRM) is only going to grow more complicated. Additional third-party software and networks, cloud migration, digital transformation, and other changes are all in our future.
As corporate networks and relationships grow and evolve, so do risk management responsibilities. TPRM is already too large to manage manually, especially with the cybersecurity skills shortage. As responsibilities grow and evolve, human capital will not be able to scale to keep up.
Automation is crucial to keep on top of our security risk management responsibilities. Ensuring that you have the visibility, resources, and controls that you need to manage your third-party risk requires:
- Threat Intelligence: Many companies are facing the same cybersecurity challenges and struggles, and no organization has the resources required to reinvent the wheel. Anonymized information — such as cyber risk intelligence based on completed assessments and other metrics — provided by other organizations can provide vital insights into cyber threats and how to manage them. Crowdsourcing risk management intelligence helps all of us.
- Always-On Risk Management Mindset: Third-party risk is constantly evolving, and periodic security assessments and reviews are not enough to keep up. Effectively managing vulnerabilities at scale requires a mindset that constantly analyzes risk and its impacts and costs to the business.
- Executive Buy-In: It’s becoming increasingly critical that security leaders have a seat at the table. A failure to properly manage TPRM endangers the success of the business. Security leaders need a clear understanding of the business's goals and their impact on security. Conversely, business leaders benefit from understanding the organization's security challenges. Bringing security into the C-suite can help to achieve both goals.
- Collaboration is Key: No organization has a security team with the scale and resources required to protect the organization against all security threats. Effective, scalable risk management requires a culture of collaboration, where all parts of the organization work to protect the security of the business and its data.
Managing Third-Party Risk at Scale with CyberGRX
A security assessment alone isn’t enough. Leveraging real-world threat intelligence, data analytics, and insight into real-world attack scenarios, CyberGRX can help you with your third-party due diligence by enabling you to pinpoint, measure, and prioritize your third-party risks. Using cyber risk intelligence, your organization can strategically develop and implement a security and risk management program that protects you– and your third-party partners.
With digital transformation, cloud adoption, and growing third-party relationships, managing your company’s cybersecurity risk will only grow more complex. Learn how CyberGRX can help your third-party risk management program scale by booking a free demo today!