What Classic Rock Teaches Us About Third-Party Cyber Risk Management
It’s well documented that music generates an emotional response for most people. And there’s actual science behind the phenomenon, too.
When your favorite song is played, different parts of your brain light up, enabling the left and right hemispheres to communicate to process complex thoughts and assist in making better decisions. Additionally, the primal properties of music serve as an act of self-care, helping to alleviate anxiety and depression. For CISOs who are solving the hardest challenges in our business environment and feeling the stress of it all, the effects of music are good news.
Evaluating third-party cyber risk has traditionally consisted of sharing a spreadsheet of questions to understand the risks a vendor may introduce into an organization’s ecosystem. Third-party security risk assessments are, in theory, designed to help organizations identify risk. And certainly, these tools are a piece of the third-party cyber risk management (TPCRM) puzzle, but if you’re relying solely on assessment data to manage your risk, you might be fooled into thinking that you’re safer than you really are.
As we talk about the assessment process, keep in mind the questionnaires sent out are a self-proclamation by a vendor of the security measures they are taking. Though no vendor intentionally misrepresents information, given the number of unique questionnaires they are asked to complete, errors and oversights can happen, not to mention security practices and processes evolve and change. It comes as no surprise that a report by RiskRecon and Cyentia Institute reveals only 14% of security practitioners are confident that a vendor’s security measures match their assessment responses.
Assessments are also a snapshot (AKA a freeze frame) of an organization’s security posture at a specific moment in time. And in this case, time is not your side. What if the third-party experienced an incident after the assessment was submitted– maybe even yesterday? Unless you’re routinely updating your vendor assessments, (which isn’t very practical) you don’t really have a good view of their risk posture or where third parties may be introducing new vulnerabilities to you.
Is your third party regularly updating security protocols?
Or with the rapid shift to digital environments, do they have misconfigured cloud-based assets or applications?
What about unpatched servers and software?
And the list of uncertainties goes on and on, not to mention it has the potential to spiral out of control as an organization adds more third parties.
Crank up the Volume
The adoption of third parties has rapidly increased and for good reason. The conveniences and efficiencies offered by third-party solutions enable organizations to increase innovation, deliver product or services at a faster rate, and scale effectively. But organizational dependencies on third parties have different ramifications for security teams.
Considering that the average enterprise has 5,800 third partiesand E&Y data reports only 8% are being assessed, the influx of third parties equates to a lot of incoming data, not to mention risk. In a study by Forrester, 82% of respondents acknowledge third-party threats present the most significant risk exposure. But even though many organizations recognize the hazards posed by third parties and are sending out questionnaires, security teams still struggle to take appropriate action to mitigate their risk. In other words, they spend more time gathering the data than taking action on the information received– they pay lip service to “third-party risk” but do little to take corrective measures. Don’t let this be you.
Assessments were our industry’s first step towards managing third-party risk, but they must continue to evolve to keep pace with business today. Traditional assessments– just by the nature of the process– add inordinate volumes of work and don’t provide sufficient assurance of a vendor’s risk posture. If you’re relying on assessments as the sole means of evaluating a vendor, should an incident occur, you might be singing along with The Who, “I’ll get on my knees and pray, we don’t get fooled again.” (No no.)
For the record, we’re not anti-assessment. While assessments play a part in third-party cyber risk management, they’re just that– one piece. Assessment data must be combined with other types of intelligence, such as threat intelligence, predictive risk profiles, and real-life attack scenarios, to give you a more accurate risk picture and the TPCRM program confidence you seek. Aggregating all the information will help you see more clearly (now)-- and it starts with standardized assessment data.
Whereas bespoke assessments create more work, standardized questionnaires help both vendors and customers to share information more quickly and readily, as it’s a unified means of collecting and presenting data. Think of it this way; if you were looking at a chart comparing top hits by band and they were all listed in various formats (0.75, 68%, 3/16, etc.), you would have difficulty comparing these data points. However, if all the data is in percentages (80%, 67%, 92%, etc.), you could easily identify which band is the most popular.
Standardized data in the risk assessment process works the same way. All data collected from assessments is in the same format so that you can understand which third parties are high risk and require prioritized mitigation. Standardized data makes it easier to analyze and derive conclusions– and is a key component of CyberGRX’s Exchange.
Imagine there’s no assessment chasing or hounding vendors to complete your questionnaire; rather, assessment data already exists on the Exchange for immediate viewing. And third parties benefit too, as the assessment needs to be completed only once, can be shared with other interested parties, and customers can see what additional security measures might be needed to work with a particular vendor. A win-win for both players– and the added visibility enables you to leverage cyber risk intelligence.
Cyber Risk Intelligence
We don’t need to tell you that threat actors are getting smarter and more aggressive. A quick scan of industry news includes headlines about a new breach almost daily. Cyber risk intelligence gives you advanced insights, as it’s not only the collection of data, but pulling all the pieces together– the threat intelligence, the predictive analytics, the attack scenarios– so you can analyze them and take action on the information. Cyber risk intelligence shines a light on all facets of your portfolio and areas of vulnerability. Or to state another way, Cyber risk intelligence helps you to see more clearly and identify potential risks, before they become incidents.
It’s common practice to assess a vendor when onboarding, but how often should you assess once that third party is part of your ecosystem?
Often, updating a vendor assessment is based on qualitative data– driven by a feeling or hunch– maybe by spend or some other criteria that’s not related to the inherent risk they pose. Keep in mind your security posture relies on the security practices of your third parties– your strategy for when to re-evaluate a vendor is important.
A much more sound approach is to categorize your third-parties. Not all third parties pose the same risk– each of your vendors has a different level of risk based on how they’re integrated within your organization.
The first step is to identify which of your third parties pose the greatest threats, then rank them to determine what level of follow-up is needed. A Ponemon study commissioned by CyberGRX showed that while the majority of organizations do apply a higher level of due diligence to a select group of third parties, 44% of organizations still apply the same level of due diligence across the board. The “one size fits all” approach to vendor due diligence is neither practical nor necessary. You need more than a feeling and you also need a more focused strategy to effectively manage your risk.
Within a third-party cyber risk management (TPCRM) framework, identify your inherent risk by understanding how you work with each of your third parties to determine what, if any, access they have to your networks, systems, data, technology, and so on. By determining their level of access, you can identify the impact a potential breach of their systems would have on your organization.
Once you define inherent risk, you can effectively risk-rank a large population of third parties and apply an appropriate level of due diligence to them. You may determine that third parties with low inherent risk do not require any further due diligence, whereas your medium-risk third parties do, and your highest-risk third parties receive the most stringent review processes. Getting a good read on inherent risk will also inform the later stages of your TPCRM strategy, such as your due diligence and mitigation stages. During the due diligence (assessment) stage, you should identify if your third parties have the right security controls in place to mitigate their inherent risk. If gaps exist, you can prioritize control gaps as they relate to inherent risk and threat levels.
With a risk management platform like CyberGRX, you can also continuously monitor your third parties. Automated scans alert you of a shift in a vendor’s risk profile that may affect you. Continuous monitoring can thus help prevent costly business disruptions. Whether you re-assess or not is based on data— much more reliable than a feeling.
The rise in cyberthreats have been hard on cybersecurity teams– stress is at an all time high and professional burnout is real. But security practitioners, don’t stop believin’– there is a better way to manage your third-party cyber risk. In fact, we’d like to show you how. Book a demo, we’ll upload your list of third parties into our Exchange, and we’ll show you your risk blindspots in real time.
We also have additional content you may find helpful on the TPCRM topic:
In summary, our goal is for security teams to rock on with confidence. As you build your third-party cyber risk management program, don’t get fooled by relying solely on assessment responses. Standardized assessments combined with other resources will help you see more clearly into the third parties who need more attention, and cyber risk intelligence shines a spotlight on your vulnerabilities. Finally, when it comes to re-evaluating vendors, data-driven decisions are always more effective than a feeling or hunch.
It is possible to beat the bad actors – don’t stop believin’!
Join 10,000+ risk professionals who subscribe to the CyberGRX Newsletter