Third-Party Risk Management (TPRM), commonly referred to as vendor or supply chain risk management, is not a new concept. It was originally founded with a more traditional on-premises IT mindset and was centered on an expectation of always having a significant level of visibility into and control of an organization’s most prized cyber assets; this meant companies asked their most important business partners to share their internal security posture with them.
By Becky Swain, Director of Standards, HITRUST
Then came cloud computing, a catalyst that fundamentally changed how companies do business and consume technology. The cloud, as the epicenter of IT, led to the need for the TPRM model to adapt, necessitating a fundamental change in the mindset to address the emerging risks posed by off-premises cloud-hosted technology services.
Most of the time, it is the obvious 1:1 connection that most organizations consider. They forget the fact that, even though the supply chain by name can be viewed as a “chain,” the growth of technology and the cloud, in particular have turned this chain into more of a mesh. And, as the saying goes, a chain is only as strong as its weakest link.
The question is, where is that weak link in the mesh? Maybe, more importantly, who owns security and risk management for that link — or links? A change in mindset here involves two primary transformations:
(a) A more externally facing view of risk and policy enforcement.
(b) A realization that in the cloud, controls are shared with the use of common technology platforms.
As a result, this realization has forced a new “we” rather than an “us vs. them” dialogue with cloud service providers.
At first, these conversations were uncomfortable, if non-existent. Therefore, this realization and related mind shift did not happen overnight. It took two key changes in industry trends to start the TPRM-in-the-cloud journey that finally got us to where we are today:
The democratization and consumerism of IT: With the birth of the cloud — and its ease of accessibility and consumption — emerged a new “shadow-IT” developer community, which was no longer bogged down by the traditional, enterprise IT, process-heavy red tape. With the shadow IT approach, developers bypassed all the existing enterprise security controls baked into those processes.
In turn, this renewed sense of empowerment enabled developers to accelerate their time-to-market. They could also deliver new, innovative solutions to keep pace with an emerging competitive landscape of technology service providers that demanded increased shareholder value and revenue growth.
From the TPRM perspective, this became problematic when customers sought answers to their supplier risk due-diligence questionnaires. But no one within the enterprise IT function could respond, as had been the prior modus operandi.
This forced CISOs — along with their CIO partners — to redefine their cross-functional engagement model to strengthen their partnerships with the company’s lines of business and associated product teams. They did this in hopes of building a similar partnership to the one they had previously matured with their enterprise IT counterparts. Further, it accompanied the new addition to the company’s set of most prized cyber assets: customer data.
With this new supply chain risk perspective on customer data protection — along with the expansion of global privacy regulation — there emerged a new set of security and privacy industry standards and unified compliance control frameworks. These frameworks were more suitable for addressing the cloud security risks that CISOs would need to adopt and integrate into their information security and governance, risk, and compliance (GRC) programs. The frameworks also helped CISOs safeguard and appropriately manage both their own supply chain risks and the supply chains of their customers.
Technology innovation and cloud supply chain ecosystem complexities: With the promise of the cloud came the next big innovation and a new term added to our tech-savvy vernacular: “Big Data.” Since then, there have been significant advancements in the types of technology solutions commonly used by consumers and businesses today—with further growth expected to continue in the future — e.g., artificial intelligence (AI), robotics, and the Internet-of-Things (IoT), to name a few.
These advancements have resulted in the creation of a vast and complex ecosystem of cloud service providers, solution partners, and consumers. They all share a common cloud platform, characterized by a comingled and integrated set of varying types of technologies, which are primarily hosted off-premises — e.g., web and mobile applications that are hosted on highly-mutable virtual infrastructures.
From the TPRM perspective, the CISO’s quality of engagement with their cloud service providers to appropriately manage supply chain risk is paramount. In addition to gaining transparency, visibility, and auditability to understand third- and fourth-party risk factors, CISOs will need to transform their existing GRC programs to support continuous compliance monitoring of the cloud services they consume. This is obviously counter to their more traditional IT enterprise approach to SRCM, with its much slower rate of change that warrants a much longer supplier risk assessment cycle of cadence — e.g., on an annual or biennial basis.
The Journey is Just Beginning
Traditionally, TPRM processes have been disengaged, with one-way forms of communication by way of questionnaires. With the continued optimization of the cloud, the risk management landscape has evolved; however, we have not seen TPRM evolve at the same rate.
The time for dynamic, cooperative engagement between cloud service providers and their tenants is now upon us and grows more prevalent every day.
The “new normal” of managing risk in the cloud grants CISOs the opportunity to embrace being an advocate — not only for their own corporate innovation, but also the customers they serve, thus leading to new revenue potential.
The journey to TPRM in the cloud is just beginning. The cloud service provider you choose to partner with will go a long way in determining just how smooth or bumpy that road will be. The HITRUST Shared Responsibility Program simplifies and streamlines the process for determining shared control roles and responsibilities between organizations and third-party service providers for greater clarity on the ownership and operation of security controls.
Key Questions to Ask When Vetting Cloud Service Providers
As your business makes the transition to a cloud-ready TPRM program, the following questions can assist a CISO during the early stages of the procurement process in vetting cloud service providers and achieving an appropriate level of quality engagement:
- Does the cloud service provider have an adequate understanding and appreciation for your concerns pertaining to the required information security and privacy measures to protect the data and cyber assets you have entrusted to them? Similarly, does the cloud service provider acknowledge your compliance obligations that they must inherit?
- Can the cloud service provider readily articulate which information security and privacy standards and/or control frameworks they comply with, align to, and benchmark against?
- Does the cloud service provider demonstrate a higher level of assurance with independent third-party validation or attestation for the applicable standards and compliance frameworks? Are you able to inspect the validation to ensure any potential supply chain risk gaps are addressed?
- Does the cloud service provider go into further detail with respect to scope and depth, specifying how each of the control requirements for the applicable standards and compliance frameworks are implemented?
- Does the cloud service provider explain which control requirements are common and therefore shared with their customers based on which cloud services have been purchased? Can they explain why the responsibility is shared for these controls?
- Does the cloud service provider allow customers to “inherit” the common — or shared — controls from the applicable standards and compliance frameworks to prevent supply chain risk gaps while alleviating waste in duplicative assessments and audits?
It is also important to check the cloud service provider’s contractual agreements to ensure the level and quality of the engagement persists post-procurement. You also want to make sure they actively involve customers in their security and privacy incident planning, notification, and response processes. Another key attribute to look for is a service provider that ensures customers maintain awareness of any changes that may impact the cloud supplier’s risk posture and thus warrant a risk re-assessment.
There is a lot that should be available to you as you embark on this path — are you getting the visibility necessary to effectively and efficiently evaluate the security posture of the cloud services you are using?
About the Author
Becky Swain is the Director of Standards and Shared Responsibility Program Lead, HITRUST. Her expertise encompasses cybersecurity, privacy, supply chain assurance, and GRC frameworks, in addition to IT audit and compliance. Swain has been a contributor for cloud standards as co-founder and author of the Cloud Security Alliance Cloud Controls Matrix (CSA CCM) and project co-editor for ISO/IEC 27036- 1:2014.
CISO MAG did not evaluate/test the products mentioned in this article, nor does it endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. CISO MAG does not guarantee the satisfactory performance of the products mentioned in this article.