Enterprises entrust the protection of their crown jewels—their customer data, their reputation, their finances, and their business availability—with third parties. Are they trustworthy? Why? Why not? What should be done about it? These questions are yours to answer and execute on. A breach of your third-party is a breach of your enterprise.
Third-party risk management is hard. It requires deep transparency, strong accountability, and effective collaboration. Third-party risk has to achieve this position with hundreds and even thousands of organizations while being an outsider to every organization. Additionally, third-party risk has to solve this with limited personnel and resources. This need—to achieve really good risk outcomes from the outside with limited resources —will result in dramatic risk management innovation, key of which will be development of machine learning and artificial intelligence-based risk assessment capabilities. These inventions will occur within the context of third-party risk management and be adopted by enterprises for internal risk management. Necessity is the mother of invention, and the necessity is pressing in a big way.
The Greater Good
Third-party risk management is a process of holding enterprises accountable to good security practices. As you improve the security of your third parties you improve the security of the Internet. It decreases the likelihood of data being breached. It decreases the likelihood of systems being turned into DDOS drones or malware servers. It increases the likelihood that systems are going to be consistently available to fulfill their intended purposes. The work of third-party risk management is work for the greater good.
The Meltdown and Spectre vulnerabilities represent an entirely new class of security flaws that are deeply rooted in long-standing CPU architecture. As such, Meltdown and Spectre are likely the first of many issues that will have to be dealt with quickly as research in CPU security flaws intensifies. Tactically, it is important that you ensure your third-parties implement the necessary patches. Strategically, it is essential that you reassess your standards governing third-party use of cloud-hosting providers and implement measures to bring your third-parties into compliance with the updated standards.
In this document, we provide a brief explanation of the Meltdown and Spectre vulnerabilities and why they are so impactful, particularly to cloud computing. We also suggest a tactical plan for addressing the issue with your third-parties, and recommend strategic considerations for your larger third-party risk-governance program.
The U.S. Chamber of Commerce just issued “Principles for Fair and Accurate Security Ratings.” These ratings are the first-of-its-kind guidelines for an emerging class of solutions that provide objective assessments of third-party security practices. These solutions complement traditional third-party risk management data gathering processes of vendor security questionnaires, attestation document reviews, and on-site assessments.
We speak with many clients that already have some form of governance, risk management, and compliance (GRC) program in place to assist with managing their enterprise programs. And some have software solutions to help them manage the process. This is not surprising when the market for GRC solutions is expected to grow to $38 billion by 2021.
Most companies are seeking ways to obtain more value from their GRC system—often by extending their coverage to their third-party risk management programs. Using the new class of continuous vendor security monitoring solutions is one of the best ways to add immediate value to GRC. This pairing offers a number of benefits, such as speed to identify and manage risk, valuable insight for prioritization of response, visibility into an accurate and complete vendor IT footprint, and critical transparency of exposure and actionable information on inherited vulnerabilities.
Mitigating your third-party exposure to Apache Struts2 requires accurate, actionable data -- and fast. If you can apply automated techniques to rapidly identify which of your vendors are most likely exposed to the exploit, you can quickly prioritize your risk resources and engage constructively with impacted vendors.
More and more enterprises are increasing their budgets for threat intelligence in order to stay on top of the latest security risks. The dramatic increase in third party cyber security risk seems to make it another area where threat intelligence can be applied. But is threat intelligence actually a good fit for your third-party risk management program?
One of the most common questions we’re asked is how to incorporate continuous monitoring into a third-party risk management program. In part one of this two-part blog, we discussed beginning with the end state in mind to establish goals for your continuous monitoring program and suggested you jumpstart your program with a pilot. So once the pilot is complete, now what?
Like many organizations today, you have existing processes, tools and people laser-focused on analyzing periodic vendor security questionnaires, documentation, and on-site reviews. Moving to a continuous monitoring program can be daunting. Our advice: Don’t focus on where to start…think about where you want to end up. Begin with the end state in mind.
CISOs know that security risks abound. But objectively measuring risk and balancing it against the needs of the business is essential. Third-party risk provides a perfect case in point and spotlights one of the top challenges facing CISOs today.
Take the shift to cloud infrastructure as an example. It makes obvious business sense to allow your company to reduce its operational footprint to reduce costs to deploy, maintain and support critical IT functions. Local or decentralized IT and line of business areas are now often able to procure SaaS solutions on their own, entirely bypassing the formal IT governance process. From a security perspective, this introduces a larger external footprint and leaves your organization exposed to hard-to-measure inherent risks and controls.
In the second part of this two-part blog series, we look at the reality of your risk processes.
The complex, extensive vendor ecosystems in today’s enterprises have impacted the effectiveness of risk control processes. Local or otherwise decentralized IT and business functions procure SaaS solutions on their own, entirely bypassing the formal IT governance process. Paper-based risk control processes were developed for a time when your vendor population was much smaller, data storage was mostly on premise, and third parties were only a small piece of your security programs. Today, risk control processes must be adapted to new risk realities.