Third-party risk management and compliance have traditionally gone hand-in-hand. One is a business requirement, the other a business necessity. So, which comes first? Or rather, which should come first?
Third-party identity risk management
Before diving into this question further, it’s worth noting that 51% of organizations surveyed by SecureLink and the Ponemon Institute have experienced a data breach caused, either directly or indirectly, by a third party.
In the age of digital transformation, organizations are increasingly relying upon the use of third-party workers, including contractors, vendors, affiliate workers, and even “things” such as IoT devices and bots to drive greater innovation and customer value. The evolution of how people work has also changed, accelerated in large part by COVID-19, resulting in expanded cloud infrastructure networks for many organizations.
Additionally, the pandemic has shattered the historical perimeter with both employees and scores of third-party users (non-employees) requiring remote access. Unfortunately, while remote access levels for third-party workers have sky-rocketed, identity and access management systems struggled to keep pace.
As the number of third-party identities within organizations continues to grow, so does the level of risk an organization faces as a result of an expanded attack surface as well as unauthorized and unmanaged access given to these third parties.
The same study by SecureLink and the Ponemon Institute found that more than half of respondents (51%) believe their organizations are granting access to sensitive and confidential information without properly assessing the security and privacy practices of their third-party connections, or “identities”. Despite the 49% of organizations in the report who said they are completing an initial risk assessment before granting access to third parties, these assessments are typically focused on the security controls the organization has in place or the organizational risk score. This, however, does not account for the risk of the individuals themselves who are granted the access.
Given the large and increasing numbers of third-party users, organizations looking for more comprehensive security amidst growing cloud adoption and remote work environments must adopt security measures around third-party identity that are more granular and more actionable.
More than a checklist
Compliance-driven organizations may feel that completing annual or regular audits will provide adequate protection against looming cyber threats related to third parties. But compliance isn’t security. Compliance-related exercises are just one pillar of a comprehensive, well-thought out and executed security program.
Many organizations analyze vendor, partner, and contractor risk at the corporate level through third-party risk evaluations known as Standardized Information Gathering (SIG) assessments. One of the challenges with SIG assessments is that organizations are left to trust that the person (or people) who completed the questionnaire did so accurately regardless of intent.
Another challenge with SIG assessments lies in the rigidity of their risk measurement value. Because these evaluations are often completed on an annual schedule, they don’t represent a current or real time view of a vendor or partner’s risk. A third-party organization may pass a risk assessment and be in compliance one day, but an unexpected threat to business operations may push it out of compliance the next.
As further proof, the SecureLink and Ponemon study found that more than half of organizations are not actively monitoring third parties with access to confidential or sensitive information on an ongoing basis. This is why it’s critical to have an actionable identity risk management program that can evolve with the changing dynamics of an organization’s day-to-day business operations.
Additionally, annual risk assessments of the vendor as a whole fail to provide a granular understanding of the individual identity risks an organization faces due to the characteristics, roles, and access of each individual user.
Create an authoritative source
To address the rapidly changing requirements for individual identities throughout their lifecycle, organizations need to look towards a real-time authoritative source of data. Because third-party users may have multiple relationships with the organization and less linear reporting structures than their employee counterparts, an effective authoritative source of information must allow for collaborative information gathering. Other key capabilities to look for include automation for onboarding, audits, offboarding as well as risk assessments for individual users.
An authoritative source for third-party user identities not only helps improve risk mitigation but also increases overall operational efficiency and accuracy in provisioning and deprovisioning access. Unfortunately, most organizations have not adopted this modern approach and 54% of respondents in the previously mentioned study say their organizations do not have a comprehensive inventory of all third parties with access to their network.
A key tenet of identity risk management is knowing the 6 Ws:
- Who is this third party?
- Who are the external delegates and internal sponsors for the third party?
- What kind of work is he/she/it doing for the company?
- Why does he/she/it need access?
- When does he/she/it need access (and for how long)?
- Where is he or she located?
An authoritative source of identity can help organizations easily answer these questions and manage the associated data and access needs.
A centralized source of information creates greater visibility into the dynamic relationships organizations have with each third-party identity involved in their businesses. This visibility allows organizations to make well-informed, risk-based decisions about provisioning, verifying, and deprovisioning access. By securing third parties at an identity level and limiting the level of access granted, risk of access breaches can be mitigated.
Adopt a security mindset
Organizations who rely on an authoritative source of data for identity lifecycle management and therefore, adopt a holistic security mindset, are in a far better position to manage third-party identity and access risk. This comprehensive approach takes the compliance-first mentality out of the equation, and, in turn, provides better protection from third-party access-related breaches.
As digital transformations advance, third-party identity risk management strategies must evolve. Organizations must take a granular and actionable approach to risk, recognizing the most effective approach is one that focuses on improving operational efficiency through increased visibility into third-party relationships, ongoing risk monitoring and assessments, and proper identity lifecycle management. However, this cannot be achieved without adopting a strong security mindset.
There is no question that compliance is still a key tenet of an effective risk management program — but it’s not the chicken, or the egg, or whichever comes first. Organizations that take a holistic approach to risk management supported by a purpose-built, scalable, and automated solution will find that they are no longer just checking a compliance box, but enabling a more consistent and agile risk management program to protect themselves from cyber risk.