This is the first guest blog in a three-part series where Paul provides some additional insight beyond that webinar, covering some of the topics in more depth, including the fundamental concept of Third-party SecOps and how this is helping evolve the approach to managing third-party risk.
The discussion brought a few things to light:
1. Organizations are starting to evolve their modeling and improve efficiency with high-fidelity data and automation.
2. Enterprise risk management and third-party risk management are fundamentally driving at the same thing.
3. The data collected by cybersecurity risk ratings solutions is driving use cases for action in reducing risk.
RiskRecon: From your perspective Paul, as a risk practitioner-turned-analyst, what are the key gaps or blind spots that cybersecurity and risk management teams currently have in terms of managing cyber risk that sits outside their organization? What problem is this class of technology solving?
Paul McKay: There are several common gaps that I see within third-party risk management. In many organizations, a common stumbling block is to even be able to identify who all your third parties are. It is quite challenging to get your head around your third-party security risks if you are not able to undertake this foundational step.
It is also common to see difficulties in getting prioritization correct, leading to unnecessary efforts placed on suppliers who don’t merit that attention and vice versa. Also, almost all the due diligence, whether this is a review of security questionnaires or on-site auditing, is performed at the beginning of a contract.
When we even get to the security questionnaires, the responses suffer from issues of bias, inaccurate data and bold statements professing how wonderful the vendor's security program is. Having objective data sources that are accurate and based on open data, is a challenge and we need to establish ways of doing this to counter the inherent positivity found in many third-party security questionnaires.
For example, I see a gap in continuous assessment during the life of a contract. Many programs are not continuously assessing the risk posed by critical third parties, so I see a big gap here that needs to have more attention paid to it.
It is not uncommon for good audits to surface several issues that never get addressed because nobody in the organization is pushing it hard. Without remediation, the entire process does not deliver the risk management benefit it is supposed to. Finally, given these challenges, it is not surprising that determining fourth parties (suppliers of your direct third-party providers) is a problem we have not been able to scratch the surface of yet.
RiskRecon: When it comes to the third-party risk management lifecycle, at what stage do you suggest the maximum focus and effort should be put into using cybersecurity risk ratings? How do you know you are ready and how do you extract value quickly?
Paul McKay: The two stages I think are most important to focus on are the prioritization effort and how you manage and drive remediation.
Taking prioritization first, this really does drive where you choose to place your focus, accepting that you won’t have the financial or human resources to review every third-party supplier with the same level of depth. Getting this right is just as important as the process of doing the assessment (whether this involves questionnaires, ratings data, auditing).
The second part, which I think gets lost sometimes, is that a great audit report surfaces some crucial issues that need to be addressed. A lot of the time, the burning issues are fixed and then all the other issues go nowhere. I think the remediation aspect, linked to continuous improvement, is critical.
In my mind, not performing remediation kind makes me think, what is the point of all of this? If we do all this assessment work and do nothing with it, we just create a paper trail (digitally or physically) of great audits that never actually reduced any risks.
For now, you can download Forrester's New Wave report for free to understand why RiskRecon is a leader in the cybersecurity risk ratings market and to understand our differentiating capabilities.
Look for our part II and part III of this guest blog series coming soon along with a new 'outlook' report on this market.