In your role as CISO, you will deal with many third-party vendors who provide services for your security program and your business. However, be advised that each one of these vendors can bring unique issues and open doors to unknown risks. As CISO, some questions you should ask yourself are: What do I know about my new vendor? They provide a service or an application I require, but are they a good partner for my company? In the long run, do I see them as being financially viable and able to deliver services as promised? These are just a few of the questions that you will have to vet as a CISO. Luckily, there are risk-management frameworks and vendor-management programs that can be implemented to assist companies in understanding the risks of their third-party vendors. This leads us to the two questions we will discuss in this chapter, the answers to which explain why the CISO must understand third-party risk and assist in reducing his/her organization’s exposure to it.
How Much Risk Do My Third Parties Have?
Today we are witnessing an increasing number of data breaches in both government and private industry.
The immense volume of data being stolen and the risks these security threats impose on organizations is impacting their ability to operate as effective business entities. This combination of threats and risks is also increasing the pressure on corporate information technology departments, cyber-security programs, executive committees, and boards of directors to devise and implement a plan to manage these issues and protect corporate “data.” It’s this visibility into the executive board’s interest in risk that I want you to think about as we proceed to discuss our first question, “As the CISO, what are the risks to my organization from our third-party vendors and why is it important that I understand their impact?”
Organizations will typically put controls in place to secure their business assets. The level of these controls will be based on several factors such as:
- The likelihood of an attack on that asset
- The impact to the business if the assets were lost or damaged
- The sensitivity of the data these assets use, process or store
One tool to help measure the maturity of these controls will usually be some type of compliance regime. However, employing these controls still leaves the organization open to an enormous amount of risk–risk that involves third-party vendors, contractors, and partners. This risk is due in part to the fact that we lack visibility into the third party’s enterprise networks, business operations, workflows, and financial processes. Remember, your directors and senior management are ultimately responsible for managing activities conducted through third parties. Part of management’s due diligence is to identify and control risk. It’s imperative that all parties remember that no matter what services have been contracted, “all responsibility and accountability still rests with the organization.” We can’t contract away our responsibility to manage our own risk.
So as a CISO, you may wonder “why do I want to use third-party vendors, who needs that headache?” Well, that is a good question and it is best viewed in the context of your company’s strategic business plan. I’ll bet that if you review this plan and its goals, you will find your organization is using third-party contractors to attain some type of strategic objective. They may have an objective to use third-party contractors to quickly increase resources to resolve an issue and ultimately increase revenue. Perhaps they have an objective to use third-party contractors to reduce costs or to gain access to a specific expertise, such as software development, that the company currently lacks. As a CISO, I have employed contractors over the years as staff augmentation for my teams or because we lacked critical skillsets for upcoming organizational projects. What’s important to remember here is that there are business reasons why your organization requires the services of third party vendors. However, as security professionals we must thoroughly understand the risks associated with using third-party organizations.
To start this process of understanding third party risk, you will need to know what types of risk “categories” apply to your company. To assist you in understanding these risks, I would first suggest that your organization conduct a risk assessment. This risk assessment will enable you as CISO to better understand the different types of third-party vendor risk exposures, whether or not these risks apply to your organization, and their impact on your company’s strategic operations. The first phase of conducting this risk assessment is about establishing a risk framework, a lens through which the organization can proceed to identify risk, understand risk, and mitigate risk. To focus your lens, you need to ask the following questions:
These questions begin to create a picture of how third-party vendors become intertwined in business operations. Once you embark on this assessment, what I expect you will discover is that there are many vendor relationships deemed not only critical to the organization, but vital to its strategic plan. This means that these vendors are viewed as strategic partners and their operations and strategic viewpoints are considered to be consistent with the company’s. However, please keep in mind that this doesn’t make them less risky. In fact, in my mind, they often bring greater risk exposure to the business because they are deemed critical to the organization’s strategic plans and would have a significant impact on those plans if not available.
Management analyzes the benefits, costs, legal aspects, and potential risks of these strategic partnerships. They also conduct risk and reward analyses on relationships deemed to be operationally strategic. However, they can make mistakes as their analysis may be based on data that can be false, manipulated, or out of date. So now you understand some of the concerns and questions that you will need to investigate in conducting a proper risk assessment. Next we will cover the categories of third-party vendor risk and how they impact the organization.
As I previously stated, many of the risks involved with employing third-party vendors center around the “unknown:” – the lack of visibility into their operations, network environments, corporate culture, etc. These risks fall into categories. There are five categories that I would recommend we use as our grading criteria to view the level of risk that is present with all third-party vendors. These five categories are…
Copyright © 2016 CISO DRG JV – All Rights Reserved.