Trading best practices across firms have been a staple in the cybersecurity industry for years. Everyone needs guidance and a helping hand once in a while. The same is true for third-party risk practitioners. That is why the data from the RiskRecon and Whistic report on how and why investment in security continues to rise in vendor risk management is vital to those looking to strengthen their approach to third-party risk management.
In this blog, our experts, Kelly White, the founder of RiskRecon MasterCard company, and Jake Bernardes the acting CISO from Whistic, discuss what companies are doing to manage their risk well. What do their programs look like? What technologies are they using? Find out below!
Jake Bernardes: The buzzword at the moment is about shifting left, everything in security is shifting left. It doesn't matter what you sell it, it's shifting left. And I think that there's a relevant piece of that also in the vendor risk management world, it's about moving things earlier. One of the keys to successful VRM work is shifting the security piece earlier into the cycle. When you are acquiring your vendor, it often comes across the cybersecurity person's desk way down the line. You might have already paid them by the time they see them before they at it and say, "Should we look at this or not?" That's how things used to be and it can't go that way. We must shift left to the point that it becomes part of the procurement process.
There's no legal discussion, no payments made before security has looked at that business, assessed them, attested that they're adequate in their controls and posture, and then basically given the green light to go forward. I think that includes several things. One of the questions is touching around SOC 2 and I think it's about setting a kind of minimal bar, around what is the least that you will ever accept. Using standards is a good place to start. Do I think that every vendor should be willing to share their SOC 2 if they have one? Yes. Do I think that every vendor you are going to have will be willing to share their SOC 2? No. But if they have one, they should be willing to share it, because they've got the attestation to demonstrate their posture.
I've built a load of SOC 2 implementations and I can attest to the fact that SOC 2 has a lot of gray areas. There are places where you could manipulate the posture of the truth and that means that everyone's in that game. How do you get around that? Again, you shift left. If you engage your security team earlier in the journey and educate people sooner in the buyer cycle about what they're buying you will be much more secure in the long run.
Successful companies are shifting left, getting security involved earlier in buying/sale cycles, and engaging in those conversations that say, "Let's have a conversation about transparency. What is the reality about posture, what do you need, and what do we need in coming to a mutual understanding where we know that we can progress together?"
Kelly White: We are at an information disadvantage as a third-party risk professional assessing the cybersecurity quality of partners. How do you solve that at scale and get good risk outcomes efficiently I don't think there are many teams out there that are, "Hey, let's double the size of our third-party risk management team." We're being asked to do more with the same number of resources. Traditional third-party risk management programs are questionnaires and vendor attestations. A short while back published a study that substantiates the fact that there's a very high percentage of TPRM professionals who were surveyed that have very low confidence in the accuracy of those questions (86% of respondents).
That is where we were, but over the last five to ten years there's been a convergence of a few things. First, objective data that can discover its systems and how companies are operating on the internet, create a robust profile of that publicly viewable cybersecurity estate. That view includes dimensions like data loss history. There is a lot of reporting around that, it’s very useful. If you're running systems on the internet, you can't help but disclose some of the cybersecurity configurations that you have, whether it's web encryption, how you're configuring your domains, DNS practices, email security, software patching, etc. The other side is the development of systems like Whistic's solution, where you can provide a facility that makes it easier for companies to share more information than they would traditionally do in a questionnaire.
You can also automatically intersect the RiskRecon’s objective data into those different control areas. For example, you could ask how well a vendor does at software patching, what does RiskRecon say about that? Do they have good software patching practices? You could see if they abide by OS's top 10 web application security practices. RiskRecon can see how they comply with a few of those. Jake also talked about the importance of objective evidence. Sometimes it's a SAS 70, but sometimes there might be other evidence that companies have, which they can get through the Whistic platform to have more objective information.
The second part of this is that there is a lot of innovation happening around the information that can be instantly brought to bear to help inform better risk decisions. Companies are taking advantage of those cybersecurity risk ratings, and they are intersecting those with the platform that they're using for administering their third-party risk program. Whistic's platform does that and provides an easy way for both the assessor and the assessee to share and collaborate. These data points also enable you to smartly prioritize where you are going to focus your time and attention.
JB: This issue with trying to answer this question right now, is that a lot of these options people are using are point-in-time views, and while we’re seeing a shift to using real data, some firms are not shifting fast enough. Some companies have cloud security posture management, and live, real-time data. You have compliance automation utilizing live real-time data. You have companies in pen-testing like providing live real-time data. We talk about the future of Whistic and that's where we are too. We take companies from attestation and answer questions to how verification of answers by third-party driven API feeds and data. Including data from RiskRecon.
I think we are cognizant of this fact and that's where the industry is shifting, to go from being a place where we can now transparently share our risk posture to be more supportive with third-party data sources and data feeds like RiskRecon to giving a lot more depth, and provide a lot more trust to the statements that are made because it's no longer just an opinion, it's also backed up by something more powerful. Data.
Download the report here to see the full results from our study and check back to get more of their thoughts on our blog!
