Managing Cyber Risk Amidst a Growing Third-Party Ecosystem
As the world becomes more interconnected, businesses increasingly rely on third-party vendors to provide essential products and services. While this can be beneficial in terms of cost savings and efficiency, it also comes with inherent risks. With the average organization having thousands of third parties, managing the cyber risks of your growing ecosystem has become more challenging than ever before– it’s what we call the “TPRM dilemma.” Simply stated, it refers to the challenge of increasing third-party adoption vs. the limited resources to effectively evaluate the risks posed to your organization.
According to a survey conducted during a previous webcast, 67% of the participants encountered difficulties related to staff resources and capacity while implementing a third-party risk management (TPRM) program. We dove into the intricacies of managing cyber risk and some possible solutions with Lane Sullivan, SVP, Chief Information Security Officer at Magellan Health, Tim Cleary, Head of Security Risk and Counsel, Bridgewater Associates, LP, and CyberGRX CMO Peter Finter. Listen in to the discussion now:
Compliance vs. Risk-Focused Programs
Meeting compliance regulations is vital for businesses handling customer data; ignoring them can lead to substantial financial consequences, legal liabilities, and damage to a company's reputation.
However, complying with these regulations is easier said than done. As Sullivan explains, “every business has its compliance regulations that it has to abide by.” Businesses often have to accommodate those as they design their TPRM program. For companies like Magellan Health, this involves staying within the boundaries of regulations imposed by state and government agencies. As Sullivan puts it, compliance can be complex because “some states have their own frameworks, and they’re unique.” When asked if he structures his TPRM program around compliance or managing cyber risks, he answered similarly to most of our listeners, “We manage both.”
Managing Cyber Risk and Compliance Requirements
Forming a comprehensive TPRM program for your vendor network using all the applicable regulations can save time and energy. Sullivan describes the strategy this way: “My recommendation would be to rationalize all of the requirements your third parties have to abide by into a single list. This way, you can cover all of them using one list and a central set of policies.”
Tim Cleary echoed Mr. Sullivan’s sentiments. “We’re subject to a lot of compliance regulations. Having a single source of truth that tells you where you are across all of them is helpful," said Cleary.
Designing your TPRM program begins with taking stock of your most essential and vulnerable digital assets. “Start with the assets and processes that are most important to you, and then work your way forward," said Cleary. "This really does help.”
“Take the time to write down what matters," he said. "It could be simple, such as data, processes, and access rights. Write it down; you want something understandable—both to you and the people who may do this job after you.”
A document outlining how you manage your cyber risk becomes an effective asset because it makes it easier to understand the motivations driving your strategy. “This way, you have logic you can point to,” Cleary explained, “that tells you why you chose to do the things that you do to protect your organization.”
Use a Team-based Approach for Managing Cyber Risk
Given the changing nature of cyber risk management, security personnel must collaborate and adapt their approach. Third-party risk management involves more than just performing a risk assessment of vendors; it’s a team activity involving your IT manager, vendor management, a security operations center (SOC), etc., to maximize success.
Hold Up Your End of the Bargain
TPRM is also more than pulling information from third parties and holding them accountable; accountability goes both ways. Once you’ve decided how to vet third parties, you must follow through on your strategy.
“You should ask: Are we pushing the requirements on our vendors?’” Sullivan asked. “That way, you know you’re living up to your set standards.”
Balance Your Approach With Reasonableness
Realize time is your most precious resource. As such, it’s impossible to accomplish all of your goals perfectly. As Cleary describes it, you need to recognize that you won’t be able to do whatever you want. That applies to both mitigation and your general approach to managing cyber risk. Sometimes, this may involve tempering expectations with a dose of reality.
“You have to be comfortable with the idea of ‘I just can’t have that,’" he said. "You have to focus on what actually matters."
TPRM in Light of the Silicon Valley Bank Failure
In the wake of the Silicon Valley Bank (SVB) collapse, the risk landscape and how you manage it has evolved into a different beast. Because SVB served many start-ups and tech-centric companies and access to capital is now limited, it may impact how these companies manage their cybersecurity. Will their program funds be reduced as they shift dollars to other areas of the business? Even though a company was well-equipped to defend against a cyber attack a year ago, you can’t assume they have the same controls in place now. You may need to double down on your due diligence to avoid the risks associated with sudden events, such as the recent bank closures. We polled our listeners, which revealed uncertainty about their next steps.
According to Cleary, companies must ask themselves: “What due diligence am I doing when it comes to a third party?” Then, regardless of the answer, the next step is to take action. In this way, Cleary said, your due diligence “translates into something practical.” Use real-world incidents, such as Silicon Valley Bank, as case studies and warnings to promote teachable moments in your company.
Sullivan emphasized the need for control implementation when evaluating vendors. “When we look at those vendors, how do we implement controls according to the size and impact of their security posture, based on what happened to those banks,” said Sullivan. He also highlighted the need for introspection, asking questions like, “Do we need to implement mitigating controls?”
Establish a Shared Vision and Holistic Risk View
When asked how to manage portfolio visibility and the importance of seeing the risks within your entire ecosystem, Sullivan suggested creating a holistic view of risk to be driven by each team. He shared, “The biggest headway isn’t just when you sign a contract but managing that portfolio and understanding what new risks have developed.” For example, if a ransomware incident occurs, are you detecting it quickly enough to react to it? And do you have processes in place for incident response?
Overall, how you manage your cyber risks speaks to the maturity of your program, the size of your organization, and where you assign resources. “TPRM is no longer just a GRC team issue anymore; for us, it’s become GPRC - Governance, Privacy, Risk, and Compliance,” Sullivan continued. “As we talk about data privacy, it’s a fundamental aspect of your governance program, which supports success in your TPRM program, too.”
Cleary agreed, citing, “It’s a data problem. You won’t have all the information all the time– focus on the intended use of the data. Will you use it in your planning to identify your risks? Or will you use it to understand the blast radius of something happening externally? But overall, don’t try to boil the ocean - managing your cyber risk and keeping data current is a lot of work, so make sure the data is tied to a specific use case,” he advised.
So how do you manage your cyber risk with a growing third-party portfolio? Sullivan suggested focusing on what your business is driving toward and building that into your security recommendations and TPRM program. “Create visibility into what it takes and where the gaps are. Ultimately, it comes down to what your business does, whether you have the right process and controls, and whether you are staffed appropriately,” he said.
Cleary agreed, stating managing cyber risk is a shared mission. “Make TPRM a shared mission with the business. Nobody does security for security's sake; we’re securing and enabling the business. And the business should share the burden and be in it with you– that’s the key to managing your cyber risk and TPRM success.”
Want to learn more about how CyberGRX can support you and your TPRM program success? Book a demo now.
Get Cyber Risk Intel delivered to your inbox each week: