Contextualizing supply chain risks in a SaaS environment
In the wake of the SolarWinds and Kaseya attacks, third-party cybersecurity risks remain top of mind for security leaders. Nonetheless, CISOs continue to experience significant friction with third-party risk management (TPRM). According to the latest CISO Circuit by YL Ventures, 70% of the surveyed leaders do not believe that TPRM solutions have meaningfully helped them avoid risk. Much of their doubt is rooted in their concerns over lacking context in current TPRM processes. This is significant for a solution utilized by 83% of respondents.
In the meantime, supply chains have only grown in popularity as attack vectors for bad actors. Compliance and board-level pressures around third parties are rapidly mounting, further stoking the flame under CISOs already struggling with the process. In the race to address growing supply-chain risk concerns, it is worth investigating how we can optimize existing practices to better manage the potential risk to enterprise networks. The CISO Circuit reveals two critical blind spots that keep us from actualizing the true potential of TPRM: how we interact with third parties and how they interact with each other in our own environments.
Third-party SaaS vendors have permeated every facet of our workflows and enmeshed itself across enterprise environments. Already increasing at astonishing speed before the pandemic, this takeover dramatically accelerated as digital transformation became a top priority. The adoption of SaaS applications and the race to optimize their utilization has led organizations to create more integrations between these applications to enable data flow and automated workflows.
Visually, we can imagine information passing through an interconnected web of SaaS solutions continuously pinging one another for access and data. These communications lie at the heart of our newly uber-streamlined workflows and accelerated productivity. They are also inherently risky gateways into our environments since they increase dependency on and interconnectivity with third-party vendors.
Accounting for dynamism
Lacking meaningful context, TPRM solutions are limited by critical blind spots that mute CISOs’ confidence in their actual risk-mitigation. Where today’s third-party integrations are continuous, widespread and ever-evolving, current TPRM solutions tend to offer point-in-time assessments of the security posture of vendors, rather than assessing actual integrations with third parties and vendor-customer relationships.
The increased independence of individual users and citizen developers often results in changes in SaaS usage and business processes. In turn, these developments have changed enterprise relationships with third-party vendors in manners that are not sufficiently addressed by current TPRM practice.
Other best-practices, such as zero trust and proper data access protection, face limitations because of these blind spots as well. They are impossible to implement without accounting for larger contexts and the often dynamic nature of third-party relationships and information. Even one misattribution can undermine zero trust, leading to over privileged third-party access or to dormant vendors with unnecessary access.
Finally, many enterprises suffer from “set-and-forget” third-party integrations that can either evade or bloat the supply-chain risk management process. The aforementioned approaches do not help security leaders detect them. This could mean that an entire network of third parties is working with and exchanging enterprise data without adequate supervision and governance.
Unlocking TPRM potential
According to the YL Ventures report, CISOs are often more motivated by compliance than real security strategy when employing TPRM solutions.
It is possible to improve supply chain security and generate better third-party security best practices. However, solutions must demonstrate a better appreciation for actual implementation of third-party vendors and how that impacts the communication of our digital assets. Correspondingly, we must have a better understanding of integrations across every—or at least multiple—points of their lifetimes, to implement proper zero trust.
As we grow more dependent on third-party SaaS applications, it is time to extend third-party vendor risk assessments from their security controls to how we use and interact with the third-party itself. This does not negate the current utility of TPRM solutions; they are still among the most comprehensive approaches available to managing supply chain security. Nonetheless, without change, the persistence of these limitations all but guarantee that our supply chain protection remains incomplete. To this end, acknowledging that it is ongoing and in need of more continuous attention is an important start. Extending the scope of third-party security risk factoring can, in turn, feedback into a more effective TPRM process.
The more engaged we become in seeing, tracking and governing third-party integrations into enterprise networks, the more data we can offer to the risk scoring process. Though it may verge on the idealistic, this would likely improve the accuracy of TPRM results and consequential CISO confidence in TPRM reliability.