It’s Time To Think Differently About Third-Party Risk Management

by Liesl Geier

It seems every week that goes by we hear about another data breach that impacts large numbers of people and has even larger costs associated with it – from fines and reparation activities to reputation damage. It is becoming more prevalent that those behind these breaches are using a third-party as the attack vector to compromise a company’s system and exfiltrate data. It is also becoming more apparent that current methods for assessing the risk associated with third parties are not adequate.

The problem is that technology evolves at its own, lightning fast pace without concern for audit cycles or contract requirements. New attacks emerge, new vulnerabilities are discovered, and new security techniques are developed. More and more data is being collected and stored and this storage is becoming more distributed across data centers, cloud, and other third-parties. It is an increasingly global footprint to monitor. Keeping track of it all is a paramount challenge – one that cannot be overcome with a point-in-time view of a third-party’s controls.

Related: Top 5 Cyber Threats for Businesses in 2019

It’s time to rewrite the playbook

We need to move beyond point-in-time assessments or audits, highly tailored and limited use questionnaires, and contract-driven third-parties. It’s time to enable companies and third-parties to work together in a collaborative way to manage cyber risk. It’s time for third-parties to manage their own risk and communicate these risks, gaps, mitigations, and changes in near-real-time to their customer base.

It’s time for customers and third-parties to understand how changes in their operating environment, using emerging and trending threats or the discovery of new vulnerabilities, impact their collective exposure in near-real-time and work together to minimize that risk as quickly as possible. We need to stop hiding our warts behind contracts and vague control implementation statements. We need to share as freely as possible to help each other grow more secure as we grow more connected.

We need cooperative continuous risk management

It’s critical to resist an us-vs-them narrative when it comes to security. This is not a game of winners or losers. If a breach occurs, both parties will be affected; even more so with some upcoming regulations such as GDPR, when penalties will be steep. Security has become a collaborative process with all parties bringing responsibility for protecting each other’s interests as well as their customer’s interests.

It is no longer possible that any single company can conceivably protect all of their assets in a vacuum in the digital age. There must be trust between companies engaging in these partnerships to share their risk posture and gaps freely and frequently, develop a collective risk appetite, and prioritize mitigation activities that are beneficial for all.

We need to arm ourselves with actionable risk data

We must provide the technology to enable companies to collect, analyze, and share their security and risk information freely and continuously. While technology cannot replace the need for risk managers to make decisions related to third-party engagements, mitigation activities, and priorities; it should help these practitioners understand what risks exist and their importance to their own business operations.

With more data being shared amongst an unprecedented number of third-parties, we must provide these practitioners with easy and transparent ways to digest and take action on the most important risks.

We need to own our weaknesses and leverage our strengths

We must consider our actions related to reporting and sharing not as, “how bad will this make us look?” but as, “how can this help us become more secure?”, “how can we provide more trust to our collective customers?”, and “does my information support a common understanding of risk with mitigations that can decrease risk for all?”. This is a bit counter to the existing narrative that companies need to operate behind a veil of secrecy, so we need to work to change it.

Where do we go from here?

The solution isn’t the undertaking of a single organization or industry.  Implementing a new approach to third-party risk management will depend on the entire community of enterprises and third parties. It will require that companies be willing to continually update their security posture, monitor their threat environment, and manage their risk in a transparent way. With a strong community of supporters, the market (or attackers) will expose who is playing nicely and who has decided the status quo is sufficient.

Peter Prizio
Director of Product

third party cyber risk management guide TPCRM 101 vendor risk management