Recent events such as the JP Morgan fake customers scandal and the Nissan North America data breach ,were both caused due to a third party. Such events re-emphasize the importance of managing third-party risk in an efficient and effective manner. In an increasingly interconnected world, companies are relying more and more on third parties to provide services and products, and this can create a range of risks that need to be managed. In this blog post, we will propose a new approach to make the third party risk management function better.
A common method organizations use is leveraging standard questionnaires available in the market such as the “SIG Questionnaire”, or develop their own customized version of the questionnaire based on security frameworks such as ISO/IEC 27001, NIST CSF or PCI-DSS. All this requires a lot of effort. For third parties that have already been established, the implementation of third party security assessment may incur additional expenses, as they will need to allocate time and resources to respond to questionnaires and provide supporting evidence. On the other hand, conducting additional due diligence on the risk posture of a new or potential third party prior to establishing a business relationship is necessary.
Even with all this effort, there may be certain gaps in the third party’s business operations that cannot be remedied due to the inherent nature of their operations or the high cost involved. It is crucial that the client organization takes inventory and continuously monitors these gaps continuously, and then decide to either accept the associated risk or implement measures to mitigate it.
For example if you use the SIG questionniare – has approximately 850 questions which can amount to significant man power and time to answer, especially if the organizations has hundreds of vendors. Then there are OSINT based scorecard services that use proprietary scoring methodology. Lastly, using compliance reports such as SOC2, PCI, and other reports that require dedicated teams, operate in a siloed manner and are point in time.
Third Party Risk Management Best Practices
The top three best practices are – prioritize your vendor inventory, leverage automation where possible, and think beyond cybersecurity risks.
Prioritize Your Vendor Inventory
When it comes to Third Party Risk Management, it is important to prioritize your vendor inventory. You should be aware of which vendors are the most essential to your operation, and those that pose the greatest risk. By understanding the risk associated with each vendor, you can make informed decisions about which ones to monitor more closely, and which ones to update their contractual agreements more regularly.
Establish Risk Thresholds is vital as it helps to ensure that all vendors meet a minimum level of security, and that any new vendors that come into the fold also meet the same standards. This helps to reduce the risk that a malicious or negligent third party might cause damage to your operations.
Once you have identified your vendors, it is important to monitor them consistently. This includes conducting regular risk assessments and due diligence reviews, as well as tracking any changes that they make to their contract terms or services. Keeping an eye on your vendors helps ensure that they are meeting your security requirements and are not introducing any new risks.
Leverage Automation Wherever Possible
To ensure robust risk management, organizations should leverage automation wherever possible to streamline the process and ensure accuracy. Automation can help to reduce manual effort and increase speed and accuracy in the process by automating data collection, tracking, and monitoring. Automation can also help to reduce costs associated with manual processes and provide a better overall view of the organization’s risk profile. Automation can also help to reduce the risk of errors or delays in the risk management process. With the right automation solutions, organizations can effectively manage their third party risks in an efficient and cost-effective manner.
Think Beyond Cybersecurity Risks
It is important to think beyond cybersecurity risks and consider other potential risks, such as financial, reputational, and legal risks. For example, organizations should consider the potential impact of a vendor’s activities on their brand, as well as any legal implications that could arise from the relationship. Third-party risk management also requires organizations to monitor their vendors on an ongoing basis and generate reports to ensure that any changes in the external environment or vendor operations are addressed in a timely manner.
How Can This Be Altered?
It is time to evolve our mindset from a compliance driven to a threat driven approach to tackle this problem. Here are three ways to potentially solve this –
- Rapid, actionable, and reliable recommendation of vendors’ risk for customers looking for a new business partner or evaluating existing partners
- Focus on a set of few questions that actually contribute to quickly evaluating the risk posture of the vendor
- Collaborate and partner with your vendors and suppliers in assisting them to level-up their cybersecurity program
Putting it all together, below is a graphic that depicts a set of five steps that are essential to modernize your third-party risk management.
Call To Action
Now let’s revisit the solutions recommended above.
To achieve #1, an OSINT scan to evaluate the security rating can be leveraged. As mentioned earlier an OSINT scan that ties to MITRE framework rather than a proprietary rating is reliable. To address this Cyrvana has partnered with BlackKite. BlackKite uses standard scoring models – MITRE’s Cyber Threat Susceptibility Assessment, Common Weakness Risk Analysis Framework, Common Weakness Scoring System, and Common Vulnerability Scoring System. If the vendors have a wide variety of questionnaires and internal policies, these can be uploaded and parsed automatically to provide an updated score. Also these tools won’t solve all your problems but they sure can help validate organizations quickly and provide a comprehensive list actionable recommendations with guidance on how to fix them.
For potential vendors, Cyrvana helps you to tackle the problem by helping our customers focus on a short list of relavent questions to evaluate the risk posture of the vendor. These questions are a subset derived from common frameworks, and only those that actually help in assessing the posture of a third-party quickly. There can always be a follow-up if necessary.
Once the evaluation is completed, a comprehensive report is generated. Our team will provide you the insight and guidance for you to assist your third-parties to address their major gaps. The goal is to bring your third-party’s score to an acceptable level, with a mutual benefit of improving the posture and enabling both the customer to embark on the business relationship. This exercise won’t stop here, but rather a continuous process.
Take the first step to build/mature your vendor assessment program by submitting a free vendor assessment and get full visibility into the current cyber position of up to five of your vendors. Or even take our FREE eight question survey to quickly evaluate the maturity of your third-party risk management program.