In Chapter 4 we turn our focus to third-party risk. You could say that the first half of this decade was the dawn of a new era of third-party risk in cybersecurity. Edward Snowden was an independent contractor when he expropriated and disseminated a trove of sensitive information belonging to the National Security Administration in the spring of 2013. In 2014, breaches of third-party Point of Sale (POS) systems victimized both Dairy Queen and Taco Bell. And both Target and Home Depot were breached through inadequately secured vendor logins in 2013 and 2014, respectively. Granted not a breach, but the case of Cambridge Analytica and Facebook (which began circa 2015 and came to light in March of 2018) highlights how third-party access to data can have consequences beyond the initial business proposition.
It has never been more evident that how you engage with third parties that have access to your network or your data is a critical component of your risk management program. What you will see from all three authors in this chapter are practical recommendations that will help you understand, explain, and better control the third-party risks you encounter as the CISO for your organization.
Bill starts the discussion by pointing out some red flags that managed to go undetected and the resulting regulatory scrutiny that third-party risk management now enjoys. Bill touches once again on the importance of knowing how and under whose control data flows into and out of your organization. He provides some practical advice for the new CISO for uncovering and quantifying third-party exposure and discusses essential legal protections that you need to have in place, including a “right to audit” clause for critical third parties. Engagement is the key to Bill’s approach, at the individual level for contingent workers and at the center of the relationship for organizations upon which you depend.
Matt focuses on the vendor management aspect of third parties from a service delivery perspective. He emphasizes how important it is to know the capabilities of the third parties we rely on and helps us use several tools, including the RACI (responsible, accountable, consulted, informed) matrix, third-party inventories and assessments, vendor management lifecycle, and independent attestations and audits, to validate the assertions made by prospective vendors. Matt makes it clear that vendor management is an ongoing activity best approached as a team sport.
Gary looks at the five categories of risk, including Financial Risk, Strategic Risk, Operational Risk, Regulatory/Compliance Risk, and Geographic Risk (Ambrose 2014). He reminds us that we can’t contract away our responsibility to manage our own risk. We can outsource activity, but we can’t outsource responsibility. Gary provides an in-depth discussion of how to set up and run a vendor management program (VMP) and helps us understand how each third-party vendor aligns with the organization’s strategic goals. Another key takeaway is to be transparent with your vendors about how you measure them. That helps them stay focused on performance as well.
Some of the questions the authors used to frame their thoughts for this chapter include:
♦ How do vendors and other third parties impact our cybersecurity program?
♦ How do I know if my vendors are secure?
♦ What should I do to protect my organization when using third parties? What controls or processes should I have in place?
Vendor Management Program – Hayslip
In your role as CISO, you will deal with many third-party vendors who provide services for your security program and your business. However, be advised that each one of these vendors can bring unique issues and open doors to unknown risks. As CISO, some questions you should ask yourself are: “What do I know about my new vendor? They provide a service or an application I require, but are they a good partner for my company? In the long run, do I see them as being financially viable and able to deliver services as promised?” These are just a few of the questions that you will have to vet as a CISO. Luckily, there are risk-management frameworks and vendor management programs that can be implemented to assist companies in understanding the risks of their third-party vendors.
How Much Risk Do My Third Parties Have?
Today we are witnessing an increasing number of data breaches in both government and private industry. The immense volume of data stolen and the risks these security threats impose on organizations is impacting their ability to operate as effective business entities. This combination of threats and risks is also increasing the pressure on corporate information technology departments, cybersecurity programs, executive committees, and boards of directors to devise and implement a plan to manage these issues and protect corporate “data.” It’s this visibility into the executive board’s interest in risk that I want you to think about as we proceed to discuss our first question, “As the CISO, what are the risks to my organization from our third-party vendors and why is it important that I understand their impact?”
Organizations will typically put controls in place to secure their business assets. The level of these controls will be based on several factors such as:
♦ The likelihood of an attack on those assets
♦ The impact to the business if the assets were lost or damaged
♦ The sensitivity of the data these assets use, process, or store
One tool to help measure the maturity of these controls will usually be some compliance regime. However, employing these controls still leaves the organization open to an enormous amount of risk involving third-party vendors, contractors, and partners. This risk is due in part to the fact that we lack visibility into the third party’s enterprise networks, business operations, workflows, and financial processes. Remember, your board of directors and senior management are ultimately responsible for managing activities conducted through third parties. Part of management’s due diligence is to identify and control risk. It’s imperative that all parties remember that no matter what services are contracted out, “all responsibility and accountability still rest with the organization.” We can’t contract away our responsibility to manage our own risk.
As a CISO, you may wonder “why do I want to use third-party vendors, who needs that headache?” Well, that is a good question, and it deserves the context of your company’s strategic business plan. I’ll bet that if you review this plan and its goals, you will find that your organization is using third-party contractors to attain one or more some strategic objectives. They may have a wish to use third-party contractors to quickly increase resources to resolve an issue and ultimately increase revenue. Perhaps they aim to use third-party contractors to reduce costs or to gain access to specific expertise, such as software development, that the company currently lacks. As a CISO, I have employed contractors over the years as staff augmentation for my teams or because we lacked critical skillsets for upcoming organizational projects. What’s important to remember here is that there are business reasons why your organization requires the services of third-party vendors. However, as security professionals, we must thoroughly understand the risks associated with using third-party organizations.
To start this process of understanding third-party risk, you will need to know what types of risk categories apply to your company. To assist you in understanding these risks, I would first suggest that your organization conduct a risk assessment. This risk assessment will enable you to better understand the different types of third-party vendor risk exposures, whether or not these risks apply to your organization, and their impact on your company’s strategic operations. The first phase of conducting this risk assessment is about establishing a risk framework, a lens through which the organization can proceed to identify risk, understand risk, and mitigate risk. To focus your lens, you need to ask the following questions:
♦ Are activities within the organization regulated?
♦ Do you know how much data is used by these activities?
♦ Do you know the data types and data classifications used by these activities?
♦ Do you know what vendors have access to these data types and data classifications?
♦ Do you understand each vendor’s responsibility concerning the organization’s sensitive data?
♦ How does each vendor fit into the organization’s overall strategic plan?
♦ If this data is breached, manipulated, or lost, what is the potential impact to the organization?
These questions begin to create a picture of how third-party vendors become intertwined in business operations. Once you embark on this assessment, what I expect you will discover is that there are many vendor relationships deemed not only critical to the organization but vital to its strategic plan. Therefore, the organization views these vendors as strategic partners and their operations and strategic viewpoints are considered to be consistent with its own. However, keep in mind that this doesn’t make them less risky. In fact, in my mind, they often bring greater risk exposure to the business because they are deemed critical to the organization’s strategic plans and would have a significant impact on those plans if not available.
Management analyzes the benefits, costs, legal aspects, and potential risks of these strategic partnerships. They also conduct risk and reward analyses on relationships deemed to be operationally vital. However, they can make mistakes if they base their analysis on data that is false, manipulated, incomplete, or out of date. So now you understand some of the concerns and questions that you will need to investigate in conducting a proper risk assessment. Next, we will cover the categories of third-party vendor risk and how they impact the organization.