Sixth Deadly Sin: Trusting, but not verifying

We’re running a blog post series on the “Seven Deadly Sins of Third-Party Cyber Risk Management,” here’s the sixth deadly sin, which is trusting but not verifying.

Did you miss the other installments? Get caught up here:

• First Deadly Sin: Believing you can outsource risk

• Second Deadly Sin: Failing to make third-party risk management about business risk management

• Third Deadly Sin: Not measuring and reporting risk and risk outcomes

• Fourth Deadly Sin: Failure to address information security in third-party contracts

• Fifth Deadly Sin: Not knowing your vendors

In entering into discussions with the Russian government on nuclear disarmament, U.S President Ronald Regan adopted the Russian proverb of ‘trust, but verify’. The principle of ‘trust, but verify’ is wise to apply in managing third-party cyber risk, particularly given that it is your risk and not the vendors.

Vendors most commonly pass questionnaire-based assessments with perfect marks. A company we work with closely recently reviewed the questionnaire responses from 100 vendors. Nearly every vendor answered each question in the affirmative, representing proper deployment and operation of required security controls. Are these positive attestations sufficient to conclude that your risk is mitigated? Are all vendors really that good? Very likely not.

Vendor attestations of cyber risk management provide an understanding of the investments third parties have made in people, process, and technology to achieve good risk outcomes. However, attestations do not tell you how well they implement and operate their risk management program.

For example, a third party might respond positively to vulnerability management questions stating that they vulnerability scan their entire environment daily using a vulnerability scanning tool such as Qualys; that they subscribe to software security notices, and that their information security policy states a reasonable frequency for remediating vulnerabilities based on severity. However, objective data provided by RiskRecon might reveal that 20% of the third party’s internet-facing software is unpatched and that a significant portion of the issues are critical and impact high-value assets.

Good risk management requires accurately and fully understanding risk. Vendor attestation of security helps you understand the investments they have made to achieve good risk outcomes, but that is only half of the information needed. Objective data helps you understand how well they implement and operate their program.

Want to read about the other deadly sins?