In Chapter 4 we turn our focus to third party risk. You could say that the first half of this decade was the dawn of a new era of third party risk in cybersecurity. Edward Snowden was an independent contractor when he expropriated and disseminated a trove of sensitive information belonging to the National Security Administration in the spring of 2013. In 2014, Dairy Queen and Taco Bell were breached through third-party Point of Sale (POS) systems. And both Target and Home Depot were breached through inadequately secured vendor logins in 2013 and 2014 respectively. It has never been more evident that how you engage with third parties that have access to your network or your data is a critical component of your risk management program. What you will see from all three authors in this chapter are pragmatic recommendations that will help you understand, explain, and better control the third party risks you encounter as the CISO for your organization.
Bill Bonney starts the discussion by pointing out some red flags that managed to go undetected and the resulting regulatory scrutiny third party risk management now enjoys. Bill touches once again on the importance of knowing how and under whose control data flows into and out of your organization. He provides some practical advice for the new CISO for uncovering and quantifying third party exposure and discusses important legal protections you need to have in place, including a “right to audit” clause for critical third parties. Engagement is the key to Bill’s approach, at the individual level for contingent workers and at the center of the relationship for organizations upon which you depend.
Matt Stamper focuses on the vendor management aspect of third parties from a service delivery perspective. He emphasizes how important it is to know the capabilities of the third parties we rely on and helps us use several tools, including the RACI (responsible, accountable, consulted, informed) matrix, third party inventories and assessments, vendor management lifecycle, and independent attestations and audits, to validate the assertions made by prospective vendors. Matt makes it clear that managing vendors is an ongoing activity best approached as a team sport.
Gary Hayslip looks at the five categories of risk, including Financial Risk, Strategic Risk, Operational Risk, Regulatory/Compliance Risk, and Geographic Risk (Ambrose 2014). He reminds us that we can’t contract away our responsibility to manage our own risk. We can outsource activity, but we can’t outsource responsibility. Gary provides an in-depth discussion of how to set up and run a vendor management program (VMP) and helps us understand how each third-party vendor aligns with the organization’s strategic goals. Another key take-away is to be transparent with your vendors about how they are being measured. That helps them stay focused on performance as well.
Some of the questions the authors used to frame their thoughts for this chapter include:
Copyright © 2016 CISO DRG JV – All Rights Reserved.