Continuous monitoring is a valuable tool for organizations seeking to improve their cyber third-party risk management programs. Adding an ongoing view of the biggest vulnerabilities that vendors expose to the internet can help enterprises regularly validate the answers they’ve historically taken on faith from annual security questionnaires. More importantly, enterprises can start to institute proactive governance practices based on empirical, continuous evidence of risk.
As a result, it’s possible to move from a manual, one-size-fits-all vendor risk process to one that is scalable and risk-adjusted.
If your organization seeks to gain more risk visibility than questionnaires offer but struggles to scale up coverage through on-site reviews, continuous monitoring can offer a clear path to better results. But moving from a questionnaire-based approach to a program backed by continuous monitoring will take planning and finesse to successfully pull off. Here’s what it will take to elegantly incorporate continuous monitoring into the mix.
Step 1. SET YOUR POLICIES
Before your organization sets up its continuous monitoring mechanisms, it needs to first start by thinking critically about the third-party risks it most wants to quantify. Identifying the risk levers that will expose the business to the biggest or most-likely losses will provide a guided framework for instrumenting the monitoring.
As your team examines the most relevant areas of risk, it should start carving them out into buckets based on both vulnerability levels and associated threats to the business. These categories can then feed the governance policies that monitoring will support. These policies will determine which steps should be taken for remediation based on the type of vendor or supplier, the system in question, and the kind of security finding uncovered.
For example, critical vulnerabilities found in connected systems run by a financial services vendor will most definitely require a different set of remediation actions than medium vulnerabilities in a random web server run by a parts supplier. Establishing clear policies ensures that monitoring can be tuned to alert and route mitigation work accordingly.
Every organization will be different, but the people your organization will want at the table during these policy discussions should include stakeholders like the chief security officer, chief risk officer, legal, cyber third-party risk managers, and vendor risk management personnel. As they set policies, this team should keep in mind the regulatory requirements the business will be dealing with to ensure that policies align with those.
Step 2. MAP INTERNAL STANDARDS AGAINST OBJECTIVE DATA
Once you set the stage with policy goals, it’s time to start surveying the governance mechanisms already in place for relevant vendors and figuring out where the organization can bolster that with objective data.
A lot of organizations already have security questionnaires they use to assess vendors. They should now take the opportunity to look at the questions that already exist, the standards developed by policies, and map that against the empirical information that can be collected by continuous monitoring to gain a fuller, more timely understanding of the risk posed by each vendor.
The mapping process should determine:
- which vendors and suppliers should be covered by monitoring,
- what data should be collected,
- how the data triggers a further investigation,
- what the remediation actions look like, and
- the cadence with which data should be analyzed (daily, weekly, monthly).
Step 3. DO A PILOT
Take baby steps first. Rather than rolling out continuous monitoring across all vendors at once, consider starting with a pilot. Start observing a select group of vendors for one or two business quarters. The pilot group could be chosen by the business function they support or simply by expedience—sometimes the easiest bet is to choose a set of vendors already scheduled for their annual assessment during the pilot period.
The pilot provides a good opportunity to train up risk management analysts on how risk scoring data works and gives them a chance to figure out how to best develop new workflows in how they engage with vendors. Management can track things like analyst productivity, remediation effectiveness, and feedback from third parties to pragmatically tweak policies and monitoring coverage to match the realities of the business.
In addition to learning through trial and error, the pilot stage should be a time for building up evangelism for continuous monitoring—both internally and among vendors. Monitoring champions should be communicating how the approach is improving the program.
Step 4. SETTING EXPECTATIONS
Before you begin rolling out continuous monitoring across the wider portfolio of third-party vendors, start having conversations with them to set expectations. Be upfront about what the improved governance model looks like and what it means for them as a supplier. Explain clearly how continuous monitoring tools collect data, and what certain findings will require them to remediate to maintain good standing as a supplier.
The key here is that vendors shouldn’t be surprised when they’re asked to fix security problems due to a newly found vulnerability. Ideally, communication should be done in the spirit of partnership. Your organization can help them improve their security posture with alerts to serious problems they may have overlooked, and that’s good for everyone involved. Part of the process may be in explaining that continuous monitoring is not an invasive look into their systems—it is simply identifying the broken windows observable from outside of their metaphorical building.
Step 5. EMBED POLICES IN CONTRACT LANGUAGE AND RFPS
Not only should your organization set expectations informally through training and evangelism, but it should also formalize policies through contract language. Contracts and RFPs should be developed to set enforcement policies and procedures that layout remediation actions and timeframes. As with any contract, there will be a collaboration with vendors to customize based on the relationship, but at a high level, you should be inserting prevailing policies into standard contracts.
Come back soon for part two to learn about the next steps you should take to incorporate continuous monitoring into your third-party risk management program.