Business partners, third parties and vendors play vital roles in the day-to-day operations that help organizations achieve their goals. Prior to the Target breach in 2013, bringing on new business partners was a fairly straightforward process.
Today, however, that process requires IT security oversight referred to as third-party cyber risk management (TPCRM). While this additional step is often viewed as a business blocker, it is critical to ensuring your organization and customers remain secure because with every new third party you bring on, you increase your attack surface and, as the headlines illustrate, third parties are the cyberattack method du jour.
The only way to truly understand the risk posed by a third party is by assessing and validating the security controls and processes it has in place. The result of this process allows you to make informed decisions about how much risk you’re willing to accept and what you require the third party to mitigate in order to keep doing business with it.
Yet, as critical as they are, I referred to third-party cyber risk assessments as the bane of TPCRM because, to date, they have been ridiculously cumbersome, manual and time-consuming. A recent survey conducted by my company found that third parties are spending over 15,000 hours a year completing assessments, while over 50% of their customers do not find the results of the cyber risk assessments helpful. For vendors and their customers alike, cyber risk assessments have become an empty, check-the-box experience.
While we cannot walk away from the intended goal of risk assessments, we can (and should) reimagine them. With all the innovation surrounding cybersecurity, third-party cyber risk management, particularly vendor risk assessments, is stuck in the dark ages. Ultimately, third-party risk assessments were designed to allow you to determine whether the business risks posed by a vendor outweigh the business needs or vice versa.
In practice, however, many of the organizations we speak with have said that even with all the time and money invested in their assessment processes, they are rarely able to make decisions from the results. So, if we need to continue to evaluate third parties for business risks, and the current assessment approach isn’t working, how can we approach it differently and more effectively?
First, get smarter about which vendors and third parties you even need to assess. Most organizations work with hundreds to thousands of vendors, and when it comes to risk, not all vendors are equal. In a previous article, I talked about using inherent risk to identify which vendors create the most business exposure so you can apply the appropriate level of due diligence to them. This helps you turn an overwhelming vendor population into a manageable portfolio of risk.
Second, leverage standardized tools to create scalability. This can be anything from checking to see if your third parties already have certifications like ISO or NIST to using solutions and risk exchanges to review detailed risk assessment profiles. These tools allow you to gain a quick and accurate view of the level of risk posed by your third-party engagements, without having to waste energy and time on assessment data collection. As you evaluate tools, it is important to keep in mind that ratings and scanning tools will not provide you with a true picture of third-party risk. Ratings tools can help you continuously monitor for changes, but they do not evaluate or validate what security controls are in place and often provide misleading false positives that can distract you from real cyber risk and threats.
Third, build your TPCRM program around managing and reducing risk — not assessment and data collection. This may seem like an unrealistic dream, given our historical reliance on unreliable assessments, but it’s actually quite attainable with the solutions mentioned above. And the more we use shared delivery models like exchanges, the more populated they will become and the sooner cyber risk assessments will be a distant thing of the past.
As digital transformation and outsourcing continue to evolve, the need for and scale of third-party cyber risk management is only going to increase. It’s difficult to maintain your own security without effective third-party cyber risk management. We are at a critical point in time when we have the opportunity to reimagine the ineffective cyber risk assessment status quo into a collective process that provides us with the insight we need to reduce risk across our shared third-party ecosystems.