Third-party risk management: the process, technology, and people whose goal is to lower the risk created by third-parties (vendors). Surveys of a wide range of companies, across multiple industries, routinely find that less than 50% have a program to manage this risk. Those that do perform it, do it minimally: part of a compliance exercise, designed to keep the regulators and oversight bodies satisfied. After COVID-19 sent many onshore and offshore resources to work from home and cyber-threats exploded over 800%, this lack of a serious approach to third party risk (when compared to how firms perform their own internal security controls) became apparent in the corresponding explosion of third party breaches and security incidents.
By Gregory C. Rasner, CISSP, CIPM, CCNA, ITIL
Many firms rely on point-in-time assessments. These are typically classified as remote or onsite assessments. Remote assessments are questionnaires sent to a vendor with relevant questions that are reviewed for any items that do not meet your firm’s security requirements. Remote assessments are a great way to perform intake security reviews for new vendors or new services. The weakness of remote questionnaires is they typically cannot share sensitive documents or data because of their restrictive classification. For example, viewing a third-party’s access management policy documentation will not typically be allowed.
Onsite assessments are performed at the vendor’s location. These allow for a more transparent sharing of data because anything sensitive is not leaving the room where the assessment is taking place. In addition, being onsite allows a more direct conversation with the vendor about their security and any potential gaps. The weakness of onsite assessments is they take more time to plan, execute, and complete.
Both types of assessments, remote and onsite, are valuable and have excellent use-cases. First, understand the limitations of each type: a remote assessment is akin to asking your children if their room is clean. If going to their room is physically challenging, getting their feedback on clean status is acceptable; however, that definition of clean is likely not the same as your definition of clean. The onsite is similar to going to your kids’ room to validate that their room is actually clean. As most of us can attest, the results of the two types of assessments are different. Remote assessments are effective on time-sensitive, higher volume processes as found on new vendor security evaluations. The results need to be taken with a lower level of confidence, given the vendor is attesting to their security controls. Onsite assessments will find security gaps that provide a very high confidence level, but due to their higher resource cost, should be done on vendors with a risk level that warrants that extra cost.
If your organization isn’t performing these types of security evaluations, begin by reviewing third parties at the highest risk. This can be done by the number of records and/or a connection to your network. Send out a remote assessment questionnaire to get a level-set; follow this activity up with a review of those remote assessments with a look at those with the most concerning responses for an onsite assessment. In this time of inability to travel and gather, leverage collaboration tools to do these virtually, until they can be performed safely at the vendor location.
Cybersecurity Third-Party Risk
Many companies focus on all the third-party risk domains, not cybersecurity risk. There is a financial risk, reputational risk, country risk, and many others. However, cybersecurity risk is most often the largest financial and reputational risk to your firm. Countless public breaches that are associated with large, well-known companies were the result of a cybersecurity breach at their third party. While there are other domains for review with third-party risk management, it is cybersecurity risk that involves the most frequent and public breaches. Focusing on the cybersecurity domain requires the third-party risk team has information security expertise.
Third-party risk management organizations do not often have this level of experience or expertise. Many companies compensate for this by creating a checklist for the assessor to follow. There are two major problems with this approach: first, without that expertise, it is very unlikely the assessor will recognize any inconsistency or illogical answer from a vendor; second, the checklist approach does not allow for follow-ups that provide a more complete picture of the security at the vendor.
As mentioned in the first section, point-in-time security evaluations are common and necessary. However, there is a need to perform something more ongoing and active; this is called Continuous Monitoring. It is designed to fill in the gap between the point-in-time assessments discussed above. This activity has typically been reliant solely on vendor reputation software: the tool sends an alert of a bad score on a particular third party, and the third-party risk team member will engage with the vendor about the alert. This has resulted in a lot of fatigue among third-parties and often is a conversation that does not change the risk. There is a need to change this approach and can be accomplished by correlating the alerts from vendor reputational software with internal due diligence and the nature of the threat in the alert.
An example of how this would be an alert from a vendor reputation software is seen for open port detected on FTP at a vendor who maintains ten-thousand confidential customer records. Diving into the existing due diligence or risk acceptance at the firm is the next step; this example finds a risk acceptance performed on this vendor for inadequate Data Loss Prevention (DLP), providing more context about the alert. All this data combined and provided to the vendor is more complete about the alert combined with known gaps. Now the conversation with the third party is about the alert in context with their risk acceptance and a high number of protected records for your customers.
Moving to Predictive
Almost every third-party risk management organization is reactive: reliant on a breach or security incident notification from a vendor. As due diligence efforts, point-in-time assessments, and Continuous Monitoring, produce results and data, it becomes possible to change into predictive. Use the data to change to a predictive model. Much like vulnerability management, this approach allows CISOs and their teams to focus on what is the highest risk, not the totality of all vendors.
The vendor due diligence results, risk acceptances, contract deviations, threat intelligence engines, vendor reputation tools, and other data sources are all inputs to this updated approach. The front-end can be a Business Intelligence or Analytics engine, but the algorithm is the key. For example, confidence levels for the data are part of the consideration: due diligence findings from an onsite assessment have higher confidence than remote. An open risk acceptance has high confidence, but the vendor reputation tool is lower. The higher the confidence of the data, these have a higher weight in the algorithm.
In a dashboard view, the simplest form for this predictive model is a stoplight approach: red, yellow, green. Vendors who have no open findings, no open risk acceptances, no alerts would be shown as green. Vendors with low to medium risk findings and/or risk acceptances could be yellow. Those with higher risk findings, risk acceptance, and an alert show up as red. At a high level, this allows staff to focus on the highest risk for engagement. A further example is a vendor who is yellow, with an open finding for not allowing admin access of laptops by standard users; there are ten thousand confidential customer records at their site, and there is an alert that shows botnets coming from their network that are known browser add-ins with key-logging capabilities: this bumps them up in the dashboard to red. Now the conversation with the third party is proactive: going to them with this level of detail in a system that provides alerting changes the timing of the conversation.
Timing is Everything
The number of firms that need to perform third party risk still needs more adherents; however, due to COVID-19 and the increased cyberthreats, there is an obvious need to change the approach to include and improve Continuous Monitoring. Firms that get to this level of due diligence on their third-parties can then begin to benefit from a predictive, near-real-time engagement with vendors on a risk-based approach. Getting ahead of the risk leads to lowering the risk.
About the Author
Gregory Rasner leads Corporate Cyber Security Third-Party Risk at Truist Financial Corp. Prior, he held cybersecurity and information technology leadership roles in technology, biotech, and finance. Teaching part-time at local community colleges and volunteering time for veterans’ causes are his passions. He is proud of his service in the U.S. Marines and is also a father of five children along with a beautiful, smart wife who also is a cybersecurity professional. He can be reached at [email protected]
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.
Related story: The Role of Third-Party Management in Cybersecurity