In this second blog of our three-part series, guest authored by Forrester senior analyst Paul McKay, we discuss the difference in remediation efforts between third-party cyber risk and standard IT risk, as well as the use cases Paul sees developing from cybersecurity risk ratings solutions.
RiskRecon: How does remediation differ when it comes to third-party cyber risk as opposed to any other IT risk environment?
Paul McKay: The concept of management control is critical here. Within your own IT risk environment, you can exert some control and direct influence to bring your weight as a security organization to bear to change things. You can commission projects and influence other parts of the business to change behaviors or spend time, money and resources undertaking projects to reduce risk.
In the third-party case, your only mechanisms are contractual. It is crucial to get embedded right from the off to perform audits and gain the cooperation of the third party in your security assurance efforts. Expect remediation to be discussed through the lens of contractual change controls and suppliers to challenge based on commercial priorities. This makes remediation more difficult and potentially more costly than it is for your internal environment.
However, suppliers don’t want to be perceived as failing in their security obligations, they want to make it as good as they can because it helps them with not just you but all their other customers as well. I often find the quality of the personal relationships and level of trust obtained helps to build an easier path to remediation.
Where the relationship is positive and constructive, progress can often be made without having to look at what the contract says every five minutes. However, it becomes more combative when the relationship between the business and the supplier is poor and there is a low level of mutual trust.
RiskRecon: What are some of the emerging use cases in which cybersecurity risk ratings are starting to deliver value to security and risk teams?
Paul McKay: While third-party risk has been the most popular use case to date for this class of solutions, I see several emerging use cases that are becoming popular. I’d highlight first the emergence of the enterprise cyber risk management use case, using the ratings data to assess and manage your own performance and reputation. I see this being a clear focus for organizations that act as a service provider to others and see growing interest in its use in large global organizations with complex legal and business unit structures.
In these types of companies, it is not uncommon to see global security teams relying on self-assessment reports from business units' local security or IT teams. These suffer from the same quality issues as third-party questionnaires. In addition, I see increasing interest in the investor community in using these ratings in a number of ways, particularly scrutinizing companies' cybersecurity posture during M&A and also when choosing whether to invest in a company or not.
This latter point may become a component of ethical investment frameworks, would it be considered acceptable for a company with a poor track record in cybersecurity to receive investment from certain mutual funds and investment houses? I think these and multiple other use cases are going to become more mainstream over the next few years.
Download this new report from Forrester, Cybersecurity Risk Ratings Market Outlook, 2020 And Beyond, to learn more about key trends and business cases you can expect over the next 12 to 24 months. This is a must-read for security and risk professionals.
Be sure to read part I of the blog series here and stayed tuned for the final blog in this series coming out soon!