Recently, RiskRecon, a Mastercard Company, founder Kelly White, sat down with Sam Olyaei, Director at Gartner Research, and Errol Weiss, Chief Security Officer at Health-ISAC, to discuss their client’s experiences regarding recent trends in third-party risk management. One of the topics these experts hit on was the evolution of a CISO/CSO’s involvement in third-party risk management.
Kelly White: Errol, how are things like the COVID pandemic, the rise in ransomware events, and the geopolitical situation in Europe changing the nature of the job of the CISO and perhaps the head of third-party cyber risk management?
Errol Weiss: Historically, when we look at some of the major attacks, most of which have occurred over the past couple of years, you've got these third-party service provider attacks that where the bad guys get into that network or that service provider to potentially gain access or a potential avenue to access their customers. Their idea is the attack once, and then you have access to many. The adversary has been doing a very good job of that, unfortunately.
I think today, in the mind of the CISO, these third-party service providers and trusted partners are certainly a big worry for many of them. I know how hard it is to understand where all your third-party connections are, or who are all of your third-party partners, you can try to do an inventory, you can maybe get some feeds from your accounts payable department to understand, "Okay, if we're paying someone, it's a good likelihood that they're a third-party partner." But that doesn't cover everybody because you're not paying all your third-party providers either, so, it's hard to find out where all of these exist.
To make matters worse, when you look at the SolarWinds attack from the end of 2020, software that has trusted access inside your own network, how do you identify things like that in the environment, where you can be compromised by a threat actor, that potentially has access to your entire network because of the privileges that the utility or that management software has.
Sam Olyaei: I'll say that from a role perspective, we're seeing two things emerge, and the geopolitical tension we're seeing now just adds to this. The first thing we're starting to see is, what we call the "Loss of control" here at Gartner. And basically, this refers to the idea that because of the involvement of third-parties, citizen computing, and business leader expectations kind of going through the roof, you're starting to see the cyber security leader, or the CISO, lose control of decision-making that's around cyber security in the organization.
Because there are a lot of other decision-makers in the organization that make calls about cyber without involving the cyber security leader. What that essentially turns into is the cyber security leader now has to decide, "If I continue across the path where I'm going to be that operational, tactical leader and I want to police everything, and control everything, and be sort of that overseer, I'm going to have so many different parties that I'm going to deal with." It gets to the point where that leader is going to be overworked, and fatigued, we call it the "Always on," mindset.
That is causing a reaction where there are a number of other cyber security roles that are emerging across the organization. You start to see things like product security officers, platform security officers, cyber risk officers, and things of that nature. They are adding to the complexity of the role in the organization. The second thing we're seeing, and related to the perception at the board level and the business level.
Something that happened right in the aftermath of COVID is board members and business executives, C-level business executives, looked at the situation and said, "Well, we were able to pivot within 48 hours to a remote, or work-from-home environment by bypassing all the security controls that we had in place. So, the question came back to the CISO and to the CIO, "Why did we have these security controls in place in the first place, if we didn't need them if we just moved to a virtual environment without any sort of conclusion there." What that turned into is now a conversation about the value-add of security to the business. It's no longer about how much technology you're adding, what types of risks you're mitigating, it's, “Did you help me get more customers? Did you help improve my profits? Did you help improve our legal and reputational image?” That's the conversation that's happening at the board level. Those are the two things I would say from a role perspective, that have changed in the last year, year and a half or so.
We summarized the key insights from their conversation in a new paper “Trends in Third-Party Risk Management.” Check it out today!