Third-party risk management is an issue that keeps many chief information security officers (CISOs) and other security leaders awake at night. Third-party risk has a lot more in common with phishing than advanced persistent threats (APTs) or zero-day attacks; it’s a known issue, but there’s a huge gap between awareness and risk at the majority of organizations. There’s no shortage of reasons to get this one right, including mounting compliance pressures and the tenuous state of customer trust.
Fifty-six percent of organizations attribute security issues involving data loss to vendors or other third parties, according to a 2018 study from Opus and Ponemon Institute. While consumer awareness of data privacy issues has increased, your customers aren’t about to distinguish between your vendors and your internally managed security controls if their records are stolen or lost.
Just 35 percent of organizations rate their third-party risk management program as highly effective, and just 34 percent have a comprehensive inventory of all their vendors. Few would make the argument that the industry has a handle on third-party risk, which begs a discussion of why we’re facing this crisis in the first place.
Why Is Third-Party Risk Management Lagging?
For many organizations, poor risk management is the result of ineffective processes and a lack of resources. A recent Venminder study found that 77 percent of organizations have five or fewer employees dedicated to vendor risk management in any capacity. In addition, 54 percent of organizations spend less than $5,000 each year on vendor risk management, even though most agree that more effective practices would deliver a positive return on investment.
For some companies, the roadblock may be low rates of cultural awareness and exposure. The Ponemon study found that less than one-third of organizations regularly report to the board on a consistent basis about the state of third-party cyber risk practices. When one also considers the industry’s long-standing reliance on vendor questionnaires as a primary method of tracking third-party risk, it becomes clear that the board may have little insight into the state of third-party risk in many cases. Visibility is the main barrier.
Rethink Your Questionnaire
It’s time for the industry to move past its dependence on vendor questionnaires to assess cybersecurity risk. While self-reported data has a place within a risk management framework, there’s clear evidence that organizations need to reassess the fullness and accuracy of the information they are receiving.
At the very least, companies should examine and update existing questionnaire forms and edit them for length to remove extraneous questions that could diminish the chances of a vendor response. According to RiskRecon, each additional security assessment question can cost anywhere from $11.62 to $34, depending on the length of the form.
As Kelly White, founder and CEO of RiskRecon, wrote in Dark Reading, “Questionnaires are generic, but your vendors aren’t.” Generic questionnaires will result in a shallow rating of risk that provides little insight into how an internet of things (IoT) vendor’s data handling practices actually affect your organization compared to an HR partner, for instance. “Use the questionnaire to target the data you’re most interested in,” wrote White. “Don’t waste time gathering information you already have.”
Emphasize Objective Measures
The most meaningful indicators of vendor risk come from third-party assessments of your vendors, such as ISO certifications or penetration testing results. Involving third-party ratings can significantly streamline the process of gathering objective evidence on vendor performance by testing protective measures like data encryption.
Open-source intelligence (OSINT) providers can also be leveraged as clear sources of insight into vendor cybersecurity risk. OSINT, penetration testing and cyberthreat intelligence reports can create the necessary baseline of understanding to examine how your partners’ practices compare to acceptable standards for data protection.
Map Data to Maintain Oversight
The dynamic state of data risk demands a more real-time approach than annual questionnaires. Data governance and methodologies for data mapping can fulfill regulatory requirements and allow organizations to maintain oversight of data in transit, data at rest and assets that are distributed across a vast third-party network. Using tools to identify critical assets and track compliance can streamline the process of maintaining dynamic data controls and help to enforce security policy, even for networks that incorporate many vendors and assets.
Risk Management Isn’t Static, So Take a Dynamic Approach
Risk and vendor governance are receiving increased attention, and it’s clear that it’s time for CISOs and chief risk officers (CROs) to get their arms around these issues. Third-party risk management isn’t simple, and organizations face numerous barriers on the road to smarter vendor risk governance, including concerns around processes, resources and organizational structures. While dedicating more time and hours to your questionnaires can mitigate some risks and enable better oversight, vendor risk is far too dynamic to be managed with an annual, paper-based approach that presents the same self-reporting measures to a large and diverse vendor network.
Vendor risk management is crucial to customer trust, compliance and other strategic priorities that affect the business as a whole. By taking a dynamic approach that integrates OSINT, third-party cyber risk intelligence reports, and an ecosystem of solutions for mapping data risks and controls in real time, organizations can overcome the visibility barrier into third-party risk.
Jasmine Henry (formerly Jasmine W. Gordon) is a Seattle-based emerging commentator and freelance journalist specializing in analytics, information security, ...