CISOs: Make 2020 the year you focus on third-party cyber risk
While cybersecurity professionals are certainly aware of the growing threat posed by sharing data with third parties, many seem to lack the urgency required to address this challenge.
If there is one work-related New Year’s resolution I’d like CISOs to make as we enter 2020, it’s to give the challenge of third-party cyber risk the attention it needs. In fact, I no longer see this as optional or as an extension of an enterprise risk and cybersecurity strategy, because third-party data breaches will dominate the threat landscape in 2020.
Data breaches and third-party cyber risk
This is not a new challenge. Headlines over the last few years are filled with major breaches caused by hackers accessing companies’ data through their third-party vendors.
Six years ago, attackers breached Target by using login credentials stolen from a company that provided HVAC services to the retailer. That breach should have been a wakeup call for enterprises and cybersecurity vendors to address the challenge of third-party cyber risk, but years later these types of incidents are becoming even more frequent.
In the last year, for example, an unauthorized user gained access to data on 11 million Quest Diagnostics patients through the company’s partner debt-collection agency. Another bad actor accessed data on millions of Capital One credit card applicants through a misconfigured Amazon cloud container.
Estimates indicate that around 60 percent of data breaches are linked to third parties, and we can expect that percentage to increase as more companies embrace digital platforms and new operating models that require sharing of data with partners and service providers.
Enterprise boundaries will continue to blur in 2020 with more organizations investing in cloud computing, using file sharing platforms such as DropBox, Google Drive or OneDrive, and connecting more devices on the edge of their networks.
If CISOs continue to focus cybersecurity tools and resources within the company perimeter, they are fighting the wrong battle in an increasingly multi-front cybersecurity war.
Elevating third-party cyber risk to a C-suite and board imperative
One of the most important things CISOs can do to put the appropriate focus on third-party cyber risk is to make it a corporate reputation issue requiring support and oversight from C-suite and board executives.
Along with the opportunities for greater innovation, productivity, operational efficiency and customer engagement, digital transformation has created new vulnerabilities across the enterprise – and beyond its borders – that could impact corporate reputation if exploited.
With the average enterprise engaging with several hundred partners and other third parties, it’s not a question of “if” the data will be exposed, but of “when” and how much corporate reputation will suffer as a result of loss of trust.
CISOs must get better at educating business leaders about these unintended consequences of digital transformation. The reality, however, is that 63 percent of CISOs don’t regularly report to their boards, according to a recent Ponemon Institute study. Worse, a stunning 40 percent of CISOs said they never report to their boards at all. This lack of connection and accountability at the C-suite and board level is a major problem.
What CISOs should do
CISOs in 2020 must become stronger advocates for shifting from reactive to proactive cybersecurity postures. They must advocate for creating more resilient and cyber-aware cultures where cybersecurity is seen as everyone’s responsibility.
CISOs should also start to align their investments in cybersecurity with the new reality that threats are more likely to materialize through third parties.
That means not only assessing third parties for potential vulnerabilities, but using new approaches and tools coming to market that can identify actual data that a third-party inadvertently exposed, and that can enable immediate remediation.
Are you optimistic?
I am optimistic about the cybersecurity industry’s ability to rise to this challenge, provide those tools and help CISOs shift and elevate their organization’s cyber posture when it comes to third-party and other emerging risks. It’s why I left the FBI to join the industry after 20 years working in the bureau’s cyber, counterintelligence and counterterrorism branches.
I’ve seen firsthand how damaging third-party data leaks can be for businesses and other institutions, and I’ve seen the struggles CISOs undertake to just keep up.
With the right resolve and the right support from the cybersecurity industry, CISOs can take charge of this challenge in 2020, commit to shifting their focus toward third-party cyber risk, and engage C-suite and board executives about the strategic importance of doing so.