Groundhog Day: Third-party cyber risk edition
Over the past four years, I’ve had countless conversations with hundreds of companies around third-party cyber risk issues. It’s been my personal Groundhog Day, so to speak.
Regardless of sector or size of company, the conversations are almost identical as most everyone faces a similar challenge:
“How can I truly manage risk from third parties where I have little or no control over their information security practices?”
“I know I have massive risk from third parties exposing my data, but how can I cost effectively gain visibility and lower my overall risk?”
“How do I know if a third party experiences a state change? And how can I mitigate risk from a third party that has access to my network or enters my facilities?
I love the movie Groundhog Day. And on this Groundhog Day, I thought the personal trials that Bill Murray’s character Phil Connors went through were something we could all relate to as new documented instances of breaches involving a third-party pop up every week.
I’ve yet to have a discussion with a risk professional who felt comfortable with the growing information security concern caused by their evolving population of cloud providers, subsidiaries, vendors, joint marketing partnerships and service providers. To compound the problem, most of the conversations include risk management executives sharing their own Ned Ryerson moment where they continually struggle to remain compliant and manage risk from this increasing threat vector.
Based on all of those conversations, I thought I’d outline those familiar refrains I’ve heard – and offer some prescriptive advice for risk management pros to help them get out of their own personal Groundhog Day.
Here are the five consistent Groundhog Day things I hear in most every conversation I have around third-party risk management:
1. How do I identify third party security gaps that could impact me?
According to a recent Deloitte survey, over 50 percent of respondents reported “some” or a “significant” increase in their level of dependence on third parties in the previous year. And in a recent Bomgar study, an average of 181 vendors are granted access to a company’s network in a given week. I’m always shocked when I ask a risk professional how many third parties have access to their network, their data or their facilities and am met with the answer, “I’m not completely sure?” – it happens far more often than you’d think.
It’s easy to see how this lack of insight makes it difficult to gain visibility into a growing list of security gaps from third parties. Manual processes at the data gathering stage tax the security team’s bandwidth and bogs them down as they reconcile assessment formats – taking away the best use of their time: managing risk.
My response: “You must first understand the risk you incur based on your relationship with the third party. A repeatable and accurate risk ranking process is the foundation of successful programs. Next, you need a modern and up-to-date assessment 2.0 to inform better decisions. Traditional static third-party assessments will never scale to address your growing third-party population. If your third party is a law firm, you should be more concerned about their DLP program than their website DDoS protection.”
2. How do I prioritize the gaps that, if exploited, would impact me the most?
In another Groundhog Day moment, I frequently hear risk professionals tell me how resource-challenged they are. They simply don’t have the resources to address the growing third-party challenges. This causes quite a dilemma in that the more problems they find with third parties, the more work is generated. Top tier risk professionals have a repeatable method to identify and address only the third-party security gaps that have the potential to impact their firm most.
My response: “You must first know which gaps could have real and meaningful impact to your firm….and then focus on the highest priority items. This requires you to compare gaps across your portfolio of third parties. Security postures are dynamic and it’s important that you have insight into these changes. Without a continuous stream of accurate data, you’re always looking at outdated information.”
3. How do I work with my third parties to ensure they are addressing these gaps?
According to Deloitte’s extended enterprise risk management (EERM) global survey report in 2017, 74 percent of survey respondents have faced at least one third-party related incident in the last three years. I consistently hear risk professionals struggle with developing and implementing a repeatable and closed looped process for ensuring third parties are remediating these gaps.
My response: “This seems daunting, but it’s not. The key is knowing the gaps that could impact you most and communicating that to your third party. The other key is ensuring you have a closed looped process to understand their timeline for remediation and to document when the item has been resolved. You also need visibility into their remediation efforts and the status of their projects.”
4. How do I continuously monitor my third-party ecosystem for changes in their security posture?
While I seldom speak with a risk professional who feels confident in their ability to identify, prioritize and remediate gaps in their third-party ecosystem, it’s rare to have a discussion around properly monitoring changes in business and cyber posture. Only the most sophisticated programs – ADP, Blackstone and Aetna come to mind – have adequate alerting for M&A and cyber threat activity in their partner network. In addition to utilizing outside-in scanning tools like BitSight, these organizations should also ingest other data sources to provide alerts if additional due diligence should be performed given the changes.
My response: “You need visibility into a dynamic stream of data contributed by your assessment partner, your third party, relevant data sources and other technology vendors like who contribute to your understanding of changes in risk that require your attention.”
5. How do I know which third parties pose the most risk to me, so I can focus my efforts?
My #1 Groundhog Day moment revolves around discussions where organizations struggle to truly manage risk from their extended enterprise. The goal is to convert their third-party team from spending too much time collecting data and managing spreadsheets to real risk managers who focus their energy on discovering third party cybersecurity threats that could compromise their data, facilities or employees.
It’s not uncommon for companies to have 4,000+ third parties and most struggle to know which third-party – or group of third parties – poses the most risk to their organization at any moment. This is difficult problem to solve and requires access to structured and up-to-date risk intelligence data, advanced analytics and the ability to scale a program well beyond the top 10% of vendors. Most companies don’t have the resources necessary to properly manage risk from their third-party ecosystem. And for the ones they are assessing, they don’t have the bandwidth or tools to take action on the assessment responses. While many organizations are assessing some of their vendors, most struggle to gain comprehensive visibility into their entire portfolio to the level that they can quantitatively demonstrate risk reduction.
While we may have a little fun relating the issues of third-party risk management to a cult-classic movie like Groundhog Day, for those dealing with these issues on a daily basis it simply isn’t funny. However, in 2018, it’s time to wake up to a new day, and together, we can leave our third-party risk Punxsutawney once and for all.