CISOs know that security risks abound. But objectively measuring risk and balancing it against the needs of the business is essential. Third-party risk provides a perfect case in point and spotlights one of the top challenges facing CISOs today.
Take the shift to cloud infrastructure as an example. It makes obvious business sense to allow your company to reduce its operational footprint to reduce costs to deploy, maintain and support critical IT functions. Local or decentralized IT and line of business areas are now often able to procure SaaS solutions on their own, entirely bypassing the formal IT governance process. From a security perspective, this introduces a larger external footprint and leaves your organization exposed to hard-to-measure inherent risks and controls.
At the same time, the methods for assessing and mitigating vendor risk aren’t working. They don’t scale to meet the rapid growth in the volume of protected data, systems and vendors. And, there is growing pressure from regulators, boards and institutional investors to shift to more frequent and comprehensive third party risk monitoring
Third Party Risk Realities
We all need to face a new reality. Assessing and mitigating risk associated with third parties cannot be solved in solely a manual fashion anymore. This combination of a larger external footprint and a need for scalable continuous monitoring means it’s just not possible to hire the volume of sufficiently trained people needed, or to pen test every one of your vendors. Spreadsheets and surveys simply don’t scale or provide sufficient objective information.
Certain elements of the scalability problem are being addressed by streamlining current methods, but these are just Band-Aids that don’t address the fundamental changes in the nature and scope of third party risks.
With current spreadsheets and surveys:
- Do you know whether a third party’s performance improves or degrades over time?
- Do you have an aggregated view of how all your third parties together impact your overall security posture?
- Can you identify and be alerted at moment when there is material change in third party’s attack surface area?
We need smarter, more objective ways to manage this risk continuously and at scale.
The methods currently being employed to assess and mitigate third party risk are no longer working, for several reasons:
- Increased use of third party vendors pivots the decisions made by security practitioners from “what do we fix first?” to “who do we assess first and what is the appropriate level of assessment?”
- Time is an extremely limited resource. Having more insights into your risk enables you to decide what you can accept, so that you can prioritize your focus on what is most important.
- Throwing more people at the problem is not a fix; the problem isn’t the number of assessments being performed, it’s fundamentally about the tools and methods being employed to assess and prioritize risk.
There is a need for automation and continuity in information gathered for risk assessment.
Modern Monitoring and Mitigation
All vendors are not equal when it comes to security practices and risk. Yet security practitioners treat most vendors the same until an issue is reported. Organizations need to establish a repeatable process to prioritize vender risk and manage appropriately, while still maintaining a common threshold of continuous risk monitoring. Then, automate risk monitoring to alert you when significant change occurs.
By analyzing trends, you can determine the vendors with whom you have a strong level of trust, and which need to be watched more closely. And, automation provides the measurement precision and direct evidence required to produce actionable results.
The answer to modernizing your 3rd party risk management is to implement a comprehensive risk program that blends attestation, assessments and automation that scales to continuously assess, measure, and monitor your extended risk surface.