Listen to this podcast on Apple Podcasts, SoundCloud or wherever you find your favorite audio content.
IBM Managing Partner and security expert Shamla Naidoo drops by this week to chat with ice cream-craving hosts Pam Cobb and David Moulton. Together, they triple-team the collective brainfreeze around third-party risk in the connected enterprise.
What Is a Third-Party Risk Assessment?
As Naidoo notes, “Third parties have become a really important part of the security ecosystem,” offering more efficient and effective cybersecurity solutions than companies can afford to design in-house. The challenge is that “every vendor will bring its own brand of risk to your business,” including supply chain, IT and operational risk.
To combat this issue, many organizations now leverage third-party risk rating vendors that both assess the risk posture of potential providers and help make decisions about utilizing these providers in more responsible, data-driven ways.
While Naidoo says risk-rating vendors have a very important role to play, this process represents “the beginning of risk management, not the end.” Beyond rating scores, other factors such as existing security structure, current processes and the organization’s ability to assess network vulnerabilities also play a critical role.
Know Your Risk Threshold
According to Naidoo, one limitation of third-party risk reports is that they often assume a one-size-fits-all model in which the provider being assessed is viewed as a “one-dimensional, one-service type of business.” This works in some cases — such as specialty or niche vendors that have limited reach beyond their offering — but is far less valuable when partnering with organizations that have multiple lines of business governed by differing rules and regulations.
Here, the podcast hosts and guest compare third-party risk to an apartment building: While multiservice vendors have control over the structure at large, they don’t govern what happens inside specific apartments. Some companies may have higher risk thresholds and do less work to secure their own data, while others prefer to keep doors locked, security cameras on and data stashed away in a locked safe.
Ultimately, the goal of a third-party risk assessment is to provide an overview of potential partnerships. As Moulton points out, they’re useful to “navigate risk rather than perfectly define it.”
3 Steps to Reduce Third-Party Risk
Once a company has received a risk assessment and examined its own security posture, how can it further reduce the total risk presented by a third party? Naidoo advises security teams to take the following steps:
- Define terms — When hiring a third party, be clear on specific expectations, then “reduce those expectations to a list of terms in the contract” to ensure full transparency and define the bounds of the relationship.
- Validate outcomes — Having a contact isn’t enough. Organizations must regularly assess and validate outcomes to ensure that expectations are being met.
- Measure proactively — Proactive assessment tools are essential to help identify problems before they cause serious security risk.
Third-party offerings are now essential to boost enterprise security. The challenge is ensuring these vendors don’t introduce more risk than they remove.
Episode Transcript
David: Pam, do you think buying ice cream is risky?
Pam: You wouldn’t think so, but in my experience, yes. Because you have to measure what’s gonna end up sticky. Can I afford the stickiness? Is it gonna stain something? Am I even hungry? Do I have to share with my dog? Like, all of these crazy decisions that go into the span of like a second that flit through my head when someone’s like, “Let’s get ice cream.” I’m like, “Oh, no, I’m wearing white. We can’t get ice cream.” So there’s a lot of factors to consider other than, “Ice cream sounds good.” So, yes, to me it is risky.
David: Yeah, for me, it entirely depends on whether I’m with my son in my car. Because I know that if we’re in my car, it’s 100% on my car.
Pam: Oh, yeah. Car, dog, kid. It’s laundry day all of a sudden. It disrupts your entire workflow.
David: But is it worth the risk?
Pam: Generally, yes, unless it ends up being bad ice cream. But I’m curious, though. Now that you are engaged in this ice cream transaction, are you bringing in additional risk from your vendor, your ice cream vendor?
David: Go on.
Pam: Well, think about it. You could go to an established chain that you feel like, “Well, they have a lot of franchise locations. They clearly have brought out an IT infrastructure. I see that they’re not running the old manual cash register. They have a credit card swipe,” you know, versus, “Oh, here’s a cart on the side of the road that only takes cash.” Like, “One of these feels like I might get food poisoning, because the refrigeration’s not working.” “One of these, I feel like, maybe my identity is gonna get stolen.” So I feel like in these transactions, now you’re bringing in even more risk beyond, “Oh, I’m gonna get a stain on my car seat.”
David: Right. So you’re not thinking about just the product, but the surround of risk, everything that’s involved in a simple transaction.
Pam: Absolutely. This is the “Security Intelligence” Podcast, where we discuss cybersecurity, industry analysis, tips, and success stories. I’m Pam Cobb.
David: And I’m David Moulton. I spoke with Shamla Naidoo, a managing partner at IBM Security, who was most recently the global CISO for IBM.
So Shamla and I talked about third party risks, some of the risks that are inherent in looking at a single report as the single source of truth, and how businesses can reduce their risk by having good security fundamentals.
Pam: I’m gonna guess that you didn’t use an ice cream analogy, though.
David: No. Unfortunately, Shamla and I didn’t spend a whole lot of time talking about ice cream.
Pam: There’s still time to remedy that.
David: Indeed.
Pam: But why don’t we listen to the conversation?
Shamla: I am Shamla Naidoo. I’m a Managing Partner at IBM Security. In my current role, I’m advising board directors, CEOs, and C-suite executives, and our customers, in terms of how to approach this topic of cybersecurity in a strategic way. I most recently was the global CISO for IBM. And in that role, I was responsible for protecting and securing the IBM digital footprint, protecting our brand and our reputation.
David: In what ways are organizations relying on third parties to manage parts of their business?
Shamla: Well, you know, third parties have become a really important part of the security ecosystem. And frankly, for business ecosystems, because third parties bring a lot of capability to customers that we otherwise don’t have, or that they can do better than we can more efficiently, more effectively, and bringing to us innovation and other capability that we may not be able to implement quickly. So third parties are an important part of our business ecosystems in every area.
David: So, for all their benefits, how do vendor relationships introduce risks and concerns to any business?
Shamla: So remember that vendors are an important part of our ecosystem to make our businesses better, make us more productive, and in many cases make us more efficient. So business partners and vendors bring an important aspect to our business growth and our business progress. Now, remember that every vendor will bring its own brand of risk to our business, but that’s not that different to the risks that our employees introduce, the risks that our executives introduce, the risks that our partners and providers introduce. So I think it’s just another aspect of risk management for every business.
David: Right. So any business could bring supply chain risks, security risks, strategic risks, any of those type of things, and you’re looking to manage that. Speaking on the security topic, though, what are some of the limitations of seeking support from a cyber security risk-rating company?
Shamla: So cyber security risk-rating companies are going to look at our risk posture and the risk posture of our third parties, and really alert us to what the public profile might look like for a third party organization. Now, that’s an important aspect in terms of us determining our strategic risk posture, our security risk posture, and any other impact to our business that those providers or third parties might introduce. So these risk rating vendors have a very important role to play in the ecosystem of risk management.
However, that’s not the end all for managing the risks that third parties introduce into our businesses. That, I would say, is probably the beginning of the risk management, not the end.
So, remember that the genesis of these third party risk rating providers came from the fact that most organizations struggled with managing their vendors, managing the scale, and it really was a volume and a cost issue. So these third party risk rating vendors got introduced into the ecosystem to help people like myself in a CISO role, to help us to assess the risk posture of our providers and to make decisions about our providers in more responsible, data-driven ways. So these third party risk vendors bring a very important aspect to the role of the CISO, or to the role of a risk manager. They give us a data point that tells us what the external public-facing security profile might be of an organization.
So they bring a very important aspect to the table. What’s challenging, though, is that they only bring one dimension of the risk management function to that discussion. So we, as CISOs, and as risk management practitioners, and as risk executives, have to be aware that a risk rating vendor isn’t the entire answer to our risk posture. It is a part of the answer, not the entire answer. So we do need to look for other aspects that help to fill that picture, in terms of helping us make better decisions, more strategic decisions, and more complete decisions.
David: So it sounds to me, Shamla, like the third party risk score that you get can provide some insight, but it needs to be combined with the information that you have on your controls, and some of those things that are out of sight. So that’s a bit of a limitation there. But you’ve had a couple of different roles. What has your experience as a CISO been when using these tools?
Shamla: So I think the tools bring a very valuable piece of information. We have to combine that with other pieces of information that we might gather ourselves, that we might gather from our third parties directly, and then we need some validation. So the information in these score cards shouldn’t be used in isolation to make a decision or make a judgment on the security posture of a third party. I think there has to be some other pieces of information we should collect. For example, is the organization having other security incidents? Do they have a lack of controls generally across the environment? Do the audit reports tell you some important information?
Do you have third party penetration tests that might actually tell you, not just what you think the security posture might be, but what does it actually mean, and is there a business outcome here that we may want to pay attention to or put our focus on? So there’s a number of things that we have to do in order to validate that risk rating. The risk rating on its own does not give you a full view of your risk posture.
David: How does risk rating and posture work when you handle SaaS and hardware companies that sell the hardware or source code, but not always the implementation of management?
Shamla: So an important challenge for us is there are many organizations with different business models. And the risk rating vendors do have a kind of one-size-fits-all model. And what I mean by that is a risk report may actually give you a rating, assuming you’re a one-dimensional, one-service type of business.
So think about this. If you’re a pizza shop around the corner, they will give you a risk report for that pizza shop’s known digital presence. Now, in one single business, you can assume that the pizza shop owns all activity related to that digital presence. When you come to a company like an IBM, or an Amazon, or a Google, for example, where we have multiple lines of business that we deliver, each of them are delivered in different ways, using different roles and responsibilities, using different decision makers.
And so, there are a lot of different types of business models. These risk rating vendors don’t make that distinction. So while they have an important role to play, I think it creates a little bit of confusion where you have a multi-dimensional business model and the information is assuming you have a single business model, that the decision maker rolls up to the same set of people or organization. And that any decision that’s not made, or made poorly, is the responsibility of that organization.
So think about this, right, so if you’ve got IBM here, we’ve got multiple lines of business. Here, the tenant might make a decision. Here, IBM might make a decision. So people might rent or lease parts of the IBM cloud infrastructure, and they have entire decision-making over how they might use or consume that tenancy.
David:Right. So it’s kind of like an apartment building, right? IBM can decide how we’re going to light the parking lot and set up the buildings with locks, and make sure that those are there. But if the tenant doesn’t lock their door, close their windows, turn on their security system, those are some of their choices. Their risk appetite might be a bit higher. But then it reflects on the entirety of the apartment if you’ve only got one lens into all these different tenants in the system.
Shamla: That’s right. And so, each tenant has decision-making authority over their apartment. They may not have decision making authority over the entire building, but in that apartment, they do have decision-making. Now, what we can not do is hold the apartment owner or the building manager responsible for what that tenant may do or not do inside their apartment.
But if you look at a one-size-fits-all model, that’s exactly what happens today, is that those who offer software as a service, platform as a service, infrastructure as a service, those who lease parts of our domain to others for their use, those who provide services on top of the domain for the consumption of a customer, through a contract that might actually have different terms, those are the distinctions, I think, that these types of services don’t make.
David: So it seems like the opportunity for the services is to mature the way that they look at things or make some distinctions. But in the meantime, as somebody’s going to consume one of those risk scores, you’ve got to understand maybe the limits of what that score can really tell you, and/or dig in and understand, “Where does this meet my understanding of risk with my own audits or my own data?” And it helps you navigate risk rather than perfectly define it.
Shamla: And I think that’s a really good point. Because the goal of these risk reports should be to point you to where you should pay more attention and where you need more validation. So, for example, you could take this risk report and then start to do an internal assessment to validate that the external score is accurate, and there isn’t something here that we may have implemented that would reduce that score significantly, but may not be visible to the public. Because, remember, most of these services are using external public-facing pieces of information.
David: Yeah, it’s like the apartment. You might leave the door unlocked, but then you’ve got a safe inside with your valuables that actually protect it. But you couldn’t assess that when you walked by.
Shamla: Exactly. Exactly. And so, we do need to have that 360 degree review.
David: So let’s go back and talk about the historical piece for assessing risk with a company. Can you talk to me about that for just a moment? Because I’m curious where it was, and how it’s evolved, and where it’s gonna go.
Shamla: You know, historically, we had a list of third parties that we did business with. And we would either do an audit, or send like a real auditor out there to look at their practices, and then provide an audit report. Not that different to what we do for ourselves internally. The second method we used was a checklist method. So we’d send a list of questions and have the third party answer the questions, and someone would look at it, and we’d ensue in a Q&A, and a back and forth on answering the questions with more detail, etc.
But this was self-reporting, and often self reporting can actually miss the real issues and, you know, we could end up having a miscommunication about the intent of the questions or the substance of the response. So, you know…and that method of auditing doesn’t scale.
David: Right. So you can have errors in the data, self-reported data. And particularly, I’ve seen it in the medical field as notoriously errored. And then it’s slow. So how do you get to a point where you have an objective look at a company’s risk or a third party risk?
Shamla: So the idea of objective testing is where you’re testing for outcomes. And I think when you test for outcomes, you’re likely to actually get to where the issues are that you may not welcome or want. So having objective testing actually gets you to the business outcome, and you can determine whether you want that business outcome or you can withstand that business outcome, or do you need to take proactive or aggressive steps to stop that business outcome from occurring?
So I think it’s really important that we understand that just a list of questions back and forth will be notoriously flawed, either because there’s miscommunication, misunderstanding, both in the question or in the answer, and we might miss important business outcomes.
Whereas you send an objective tester, like a penetration tester, to test for outcomes, we’re likely to stumble upon the things that we didn’t even think about in the Q&A.
David: Can you talk about a real example where a penetration test revealed something that the Q&A missed, that maybe a public risk report missed, that was really significant?
Shamla: So let’s just think about this, right? Yesterday, there was a very large report of a data breach at a healthcare organization, where over 11 million patients’ medical information, including Social Security numbers and other important sensitive information, was exposed. Now, you know, I can almost put money on the fact that that organization probably had a number of third party risk assessments.
But if you’re looking for questions and answers, you’re gonna get responses that may not lead you to the fact that these records were available. But if you send a penetration tester to test for outcomes, they may have stumbled upon those records purely by their testing to see what they could access. Because, usually, when you’re answering a question, you don’t know that the data is exposed, you have to test for that in order to validate it.
David: So you started off by saying that you advise a lot of customers, and I’m wondering, what are some of the things that they’re asking for advice on, and some of the processes that they’re implementing after they’ve spoken to you, so that they can get the right mix of data from a risk report, ask the right questions, but know to go further and test? What does that look like?
Shamla: So what’s interesting is, you know, most organizations and most executives know that there are larger, more common data breaches that are occurring within their own companies. And by extension, there are more data breaches occurring in the third party space with their providers, and partners, and vendors. So everyone wants to know, “How do I manage this?” simply because it’s difficult to manage and scale the risk of all of those providers, especially if you treat them all the same way.
Most organizations, you know, need to have a program where they can prioritize the risk and categorize the vendors in terms of what actions to be taken, both from a testing perspective, from an assessment perspective, and from a remediation and action perspective. So all vendors, all third parties, are not created equal. We have to be very clear on which of those connect to our networks, for example, which of those may take data in a portable form and use it to make other kinds of processes work for us.
And then, which providers may represent us, and provide services on our behalf? So each of those models will have a different risk posture. They’ll also require a different set of actions to protect the primary party. So, for example, if we hire a third party to manage our payroll, for example, on behalf of IBM, we want to make sure that that payroll vendor has all the right data to make those transactions for us. But if they’re not connecting to our network, then it really doesn’t matter. What I need to be inspecting is their practices at their company. If they’re connecting to our network, I need to make sure that they’re not bringing a hitchhiker into the network, bringing in other kinds of malware and other uninvited processes into our network.
So there’s a different place where we might prevent those bad outcomes. And, you know, when a third party is representing IBM, we want to make sure that they’re representing IBM in the same way that we would represent ourselves, performing the same steps and best practices that we would if we were out there providing those services.
David: So when you talk about this, I can imagine in that payroll example that they’re using a third party. So how does a company look to the third party risk of their vendor, or maybe it’s the fourth party risk, and assess that?
Shamla: You know, third parties are nowadays just par for the course. And I think that third parties are no longer the single place where risk is introduced into an organization, because we now have these fourth party, fifth party, you know. And the additional parties create more attenuation in terms of how we might touch, and control, and manage those risks.
So what’s really important is for us to have, you know, a known ecosystem of all the parties that go into a workflow to deliver an outcome. So whether it’s we delivering that outcome for ourselves, we hiring a third party to deliver it, or we hiring a third party who might hire fourth and fifth parties, we do have to act with more trust and transparency in the relationships. This is not all about technology. The relationship has to be one that’s trusted, where everyone is known, everyone is accounted for, so that no party is blindsided by the fact that someone had access to both their data or their systems in unknown ways.
So I think it’s the relationship that has to be both strong, and all parties have to be known. And there has to be, you know, some measure of business and professional engagement that tells us how we would treat each other, and how we would treat each other’s data and systems when it’s in our care.
David: So, say, a company is setting out to vet one of their vendors, what are the basics for third party risk management and/or fifth party, sixth party, that type of thing? What are some of the basics there that they need to consider?
Shamla: You know, importantly for us is third parties are so easy to engage these days. So we have to know, who have we engaged with and take an inventory of all of the parties we do business with, understanding the nature of those relationships. What kinds of services are provided? What kinds of access are being granted to the network? What kind of data are being changed hands?
And, really, what is the nature of the service? What does the third party or fourth party commit to doing with the data? How do we know that that’s all they’re gonna do, nothing more, nothing less? So, you know, I think understanding all of that is the foundation for how to make these programs and practices actually work.
Then, the next step is to prioritize the vendors. Because for those of us who have tens of thousands of third parties or providers providing us services every day, we need to make sure that we can actually make this scale. So we want to make sure that we can get to all the vendors in the right way, that’s appropriate for the services that they’re delivering. So categorizing them, prioritizing the risk that they introduce, how that risk may be introduced, and how we might take steps to avoid those risks are really important parts of the program.
David: And so I can imagine, when you have these inter-relationships between companies, data flowing around, responsibilities, workloads spread across multiple companies, different environments, that managing compliance in this environment can be a bit of a challenge. How do you approach compliance, Shamla?
Shamla: I think compliance is an important part of just being clear on what we expect. So if I’m hiring a third party, I have to be really clear on, what are the expectations for that relationship? I have to also reduce those expectations to a list of terms in the contract, so that we’re both agreeing on what’s expected, and there’s transparency in what we’re paying for and what we expect to receive. So we do need to do that. And then the second thing, I think, is validating that those terms are actually being delivered in a consistent way. And having a proactive way to assess whether those terms are being delivered.
Those all have to be built into the program as opposed to… Sometimes what happens, when there’s a failure and it hits the press, is when we start to figure out what steps we want to take to validate the health and safety or the security posture of a third party vendor. We have to do that upfront. We have to be more invested in the planning, and in executing the terms that we will actually implement.
David: Okay. So, in a weird way, an event acts as a catalyst to start what should have been our strategic planning and our process. Not surprising, but we know better, so we can do better. One thing that I wanted to ask you about here is, contrast a small business and a large business, and you think about third party risk, what are the different things that you think about when you’re looking at a business of different scale?
Shamla: So, to me, I think small businesses and large businesses have the same exposure with respect to third parties, and I don’t think the mechanics are any different. The single difference is the scale and the size. Can we get to all of our third parties? Can we implement some third party oversight program? Can we actually get best practices implemented consistently across all those third parties?
That’s the challenge, is the scale and the size. And sometimes, you know, if you haven’t done good risk assessments and you don’t understand the nature of those relationships, it’s easy to plan to go after all third parties. If you’re a large organization and you have many, you run out of steam, and you get tired, and you don’t necessarily have a way to deliver that kind of scale and coverage without a huge investment.
David: So at the small size, you may not have the full team to get after it. At the large size, the relationships disappear before you can even get around to looking into that risk. But having a plan to go forward, no matter your scale, and putting forward a strategy for approaching it before something happens seems like really good basics
One other question. If you look at how credit scoring is set up for consumers, it provides a bit of a parallel for how risk assessments are done from third party risk assessment companies. It’s not perfect. But I would wonder if there is a risk to accepting the score, if somebody can easily manipulate a competitor’s score. Does that make sense?
Shamla: Yes. Yes. I think that’s the risk of these business models that are insulated, where there’s no transparency. We have no idea where these third parties might have acquired their information. We don’t know whether it’s credible. We don’t know whether it’s accurate. And so, I think those who actually use those risk scores need to understand that, that the data may have been sourced from places that either are not accurate or that may actually be questionable. I’ll give you an example. If I’m using decoys to manage my threats in unique ways, that information might become public. It may be there deliberately, but it may not be accurate or correct, and it might be by design. And so, we have to be really careful when we use information that lacks transparency, that is sourced from questionable sources and places. We have to be really, really careful with how we use it, because we may end up making decisions that are more harmful than they are helpful.
David: And in an odd way, we’re looking for objective outcomes, and we think we have a score, it looks like data. But in the end, whether or not the data was accurate, verifiable, and useful, that’s not very transparent. And so, I think as you’ve talked about some of these things, it’s one of the cautions that you may want to put in there of, how much weight do you put on a public score, for this very reason and maybe a few others.
Shamla: And then, you know, the other thing that I would just add to that, in our consideration, is the transparency is important in how the information was sourced, but the flip side is, I’m also not gonna go out there and provide the entire roadmap for IBM’s network, for example, as most companies shouldn’t.
Because, really, we build our networks to have various places that we want to keep secret. And so, creating an open, transparent network map is not one that we’re going to share publicly. So that’s one aspect. And the second is, you know, we, as a company, will not disclose that information, because our customers expect us to keep that information private.
David:Absolutely. Well, Shamla, this has been really a fascinating conversation. And I hope that our listeners have learned a little bit, got a good insight into third party risk and into how IBM operates a little bit, with a very special guest like yourself. Thank you.
Pam: All right. So, David, you were right. I did miss an ice cream analogy in that conversation. But I really loved the use of the apartment analogy. Because when you think about all of the working parts, as it were, that go into an apartment, I mean, that was a really interesting way to think about that holistic approach.
David: Yeah, the apartment analogy, or the multi-tenant idea of SaaS was something that I came across years ago, and I think it’s really helpful when I apply that same sort of thinking, at least in thinking about how security works when you’re working with vendors and different people that are bringing things in and out. And, you know, just to add a little bit of a personification to a topic that can be esoteric, or buried inside of the bits and bytes.
So when you think about all the different things that can pose risk to a business, and you start to look at the apartment and all the people in and out, as Shamla and I discussed, you can quickly see how security, as it might be assessed in one little snapshot or in one view of things, can’t truly be understood until you get that full view, to really understand what’s going on and who controls what in that situation.
Pam: And I think even if you expand that in the context of, oh, gosh, every unit in that building is the same floor plan and template, but I guarantee that no two apartments look the same. And that can be said of IT infrastructure. So you’ve got a retailer and another retailer with the same number of stores, IT infrastructures can be completely different. And then you’re looking at additional risk brought in by that personalization that’s being done even inside the apartment building.
David: Yeah, it’s a perfect way to extend the analogy. And it’s certainly one of the things that, when you start to go one step further of, who might want to cause you harm, you could have a similar floor plan and even some of the similar layout, but then your attack comes from somewhere else.
So somebody’s coming in through the front door, or somebody’s coming in, you know, with a key, because they’re the person that’s gonna come in and change your filters in the apartment. You know, one of them you wouldn’t have thought was the problem. So security’s complex, and it requires smart people, and experts, and a thoughtfulness on how you’re going to lower your overall risk profile, and make sure that you’ve got the right controls and the right thinking in place.
Pam: Perfect. So, David, do you have any good news for us this week?
David: A little bit. I saw something out of Michigan, which is becoming one of those places where I love to look for for good news. You know, I spent a number of years up in Michigan, beautiful place, if you ever get a chance. Particularly appealing as we come into summer here in Texas to head north.
But there’s a cyber security consortium there, and nearly $2.5 million was awarded to the Upper Peninsula Cybersecurity Consortium. And so, it was really inspiring to see that a couple of groups came together to make sure that there’s education and training initiatives going on. It’s part of the State of Michigan’s Marshall Plan for Talent. And I think it’s the type of thing that we’re seeing a lot of leadership out of the state level around cyber security, and training that next generation of talent to become a part of our industry, and solve some of the problems that we face.
Pam: All right. David, that is great news. And that’s it for this episode. Thanks to Shamla Naidoo for joining us as a guest.
David: Listen to this podcast on Apple Podcast, SoundCloud, or wherever you get your podcasts. And for more information on risk management, head over to securityintelligence.com, and check out our recent article, “Third Party Risk Needs New Approaches.” Thanks for listening.