Are You Really Managing Third-Party Risk?

by Fred Kneip

Risk management, in general, can be described in a five-step process.  As a risk practitioner, you’ve likely taken your “critical” third parties through most of these steps, but less likely the rest of your population, which is probably where less mature security practices are in place and thus greater risk to you may exist.  The CyberGRX platform helps you bring the rest of your ecosystem through the risk management lifecycle.

Since we began CyberGRX in 2015, we have had the opportunity to speak with hundreds of CISOs, CSOs, CROs, and Procurement leads.  Risk practitioners almost universally recognize third-party exposure as one of the most important cyber risks they face.  In 2017, Ponemon calculated that 56% of reported breaches involve a third party.  But what has surprised us, is that the reaction to the current situation is not commensurate with the recognized exposure.  Simply put, a large proportion of companies today are not effectively managing third-party risk, and are only slowly beginning to address the issue.

Related: The ONE Thing All Modern Third-Party Cyber Risk Management Programs Do

The risk management lifecycle for third parties has five components:

1. Inherent risk prioritization – using a risk-based approach to determine which companies to focus your efforts on.
2. Gap or risk identification – what controls or processes are missing.
3. Residual risk prioritization – a risk-based model to determine which gaps are most meaningful.
4. Risk mitigation or gap closure – communication with the company to either close the gaps or build compensating controls within your own environment
5. Ongoing monitoring – frequently revisiting the status of the company to understand changes

Many of the companies we have spoken with are doing one or two of these steps, but rarely have we seen companies covering all five, and almost never beyond a small portion of “critical” third parties.

What does this mean?  It means we will continue to see companies impacted by cybersecurity issues via their third parties.  Unfortunately, these companies will also be the ones who bear the majority of the impact.  Very few can name the HVAC company that led to the infamous Target breach, but nearly everyone is aware Target suffered a breach.  Target lost hundreds of millions of dollars as a result of that breach, countless multiples of the size of the HVAC provider.

The question risk practitioners should be asking themselves is “do I think my program is really managing risk?  And if not, why not?”  Similar to thinking “I feel healthy” and delaying regular doctor visits until you have a more serious problem; if you cannot confidently answer yes, you could be missing proactive, relatively easy, actions to take today that could prevent disastrous consequences in the future.

Below are a few of the reasons we have heard from companies for why they have not prioritized building out their third-party risk management program:

Related: Top Third-Paty Data Breaches of 2018

Too many competing security priorities

The five-step risk management approach above can be applied to the whole security program as well.  Have you adequately looked at the risks your company faces and the roadmap to close them?  Third party management may or may not be near the top of the list.  If you have gone through a comprehensive scoring and weighting of the relative exposures, this might be a good reason to hold off – there are other things that are more important, and resources are not unlimited.  But if it is a gut feeling, or lack of engagement – like the medical example above – then the decision is worth revisiting.

Compliance checklist mindset

Jim Routh, the CSO of Aetna, is often quoted as saying “Compliance does not equal security resiliency.”  He is correct.  Jim continues,

Compliance gives enterprises comfort mapping to standards.  Resilience requires controls that adjust to changes in threat actor tactics.  The gap between compliance and resiliency for an enterprise is growing.  Third party governance practices were established for compliance.  The evolution to resiliency requires adjusting controls for third parties, accelerated by the move to cloud services.

A program designed to address regulatory standards and not based on identifying and managing the changing risk a specific third party poses is really just a checklist exercise.  And regulators are pushing more and more to see the efficacy of programs, not just the existence.  One former regulator told me “when companies tell us they have a robust third-party cyber risk program in place, our first question is to ask them to show us the companies they have excluded or stopped working with as a result of their program.  9 times out of 10, they cannot adequately answer.

Reliance on incomplete or inaccurate information

There are countless models and products that claim to provide a company with a quick score or evaluation of their vendors.  However, these are only partial views into the security profile of a company – what you can see from the outside – and they provide a generic review – not taking into account how a vendor is being used or what kind of access to your business they might have.

I can tell you a restaurant has great service, but if it is a seafood restaurant that has health code violations and you are looking for a burger and not wanting to get sick, then my review doesn’t really help.  These tools are an important part of a comprehensive program, combined with direct company information, but are not sufficient on their own. In fact, they can create a false sense of comfort for some companies.

Satisfied with partial coverage

Most of the companies we have spoken with have some type of inherent risk process used to identify key third parties.  But very few have a program that applies all the way down the stack, with varying levels of evaluation based on the inherent risk.  Most often, the situation is a limited number of companies reviewed due to resource or capital constraints.  A company will believe they should be doing 100 reviews, but are only doing 50.  The greatest risk to the company often lies in the companies just outside that range, such as #51-60.

They are higher up on the risk ranking but didn’t make the resource cut.  A program needs to scale to cover all companies identified through the inherent risk process.  The vast majority of third-party related breaches do not come from one of the top suppliers, but one of the smaller ones that had equivalent data access but less mature security programs.

The good news is, it doesn’t have to be difficult and each of these problems can be overcome.  CyberGRX was designed to help companies effectively manage their third-party cyber risk.  To take their portfolio through the five steps above and to scale easily and cost-effectively to cover their entire ecosystem, and to constantly update the information to ensure currency and accuracy.  Most importantly, it was designed to inform a risk-based mindset – providing information and prioritization that allows practitioners to quickly assess the exposure from a company or an entire portfolio.  Learn more about our solution here.

FRED KNEIP
CHIEF EXECUTIVE OFFICER, CYBERGRX