This is the eighth in our series sharing thought pieces from the CISO Desk Reference Guide: A Practical Guide for CISOs, volume 1. In the following excerpt from Gary Hayslip’s essay for Chapter 8, Gary explores how to hunt for the risks your third-party relationships harbor. Please enjoy.
How Much Risk Do My Third Parties Have?
Today we are witnessing increasing data breaches in both government and private industry. The immense volume of data stolen and the risks these security threats impose on organizations are impacting their ability to operate as influential business entities. This combination of risks and their threats also pressure corporate information technology departments, cybersecurity programs, executive committees, and boards of directors to devise and implement a plan to manage these issues and protect corporate data. It’s this visibility into the executive board’s interest in risk that I want you to think about as we proceed to discuss our first question, “As the CISO, what are the risks to my organization from our third-party vendors and why is it important that I understand their impact?”
Organizations will typically put controls in place to secure their business assets. You will base the level of these controls on several factors, such as:
- The likelihood of an attack on those assets.
- The impact on the business if the assets were lost or damaged.
- The sensitivity of the data these assets use, process, or store.
One tool to help measure the maturity of these controls will usually be some compliance regime. However, employing these controls still exposes the organization to risks involving third-party vendors, contractors, and partners. This risk is partly due to the lack of visibility into the third party’s enterprise networks, business operations, workflows, and financial processes. Remember, your board of directors and senior management are ultimately responsible for managing activities conducted through third parties. Part of management’s due diligence is to identify and control risk. All parties must remember that no matter what services are contracted out, all responsibility and accountability still rests with the organization. We can’t contract away our responsibility to manage our own risk.
As a CISO, you may wonder, “Why do I want to use third-party vendors? Who needs that headache?” Well, that is a good question, and it deserves the context of your company’s strategic business plan. I’ll bet that if you review this plan and its goals, you will find that your organization is using third-party contractors to attain one or more strategic objectives. For example, they may wish to use third-party contractors to quickly increase resources to resolve an issue and ultimately increase revenue. Perhaps they aim to use third-party contractors to reduce costs or to gain access to specific expertise, such as software development, that the company currently lacks. As a CISO, I have employed contractors over the years as staff augmentation for my teams or because we lacked critical skill sets for upcoming organizational projects. What’s important to remember here is that there are business reasons why your organization requires the services of third-party vendors. However, as security professionals, we must thoroughly understand the risks of using third-party organizations.
To understand third-party risk, you must know what risk categories apply to your company. To assist you in understanding these risks, I suggest your organization conduct a risk assessment. This risk assessment will enable you to understand the different types of third-party vendor risk exposures, whether these risks apply to your organization and their potential impact on your company’s strategic operations. The first phase of conducting this risk assessment is establishing a risk framework, a lens through which the organization can identify, understand, and mitigate risk. To focus your lens, you need to ask the following questions:
- Are activities within the organization regulated?
- Do you know how much data is used by these activities?
- Do you know what data types and classifications these activities use?
- Do you know what vendors can access these data types and classifications?
- Do you understand each vendor’s responsibility concerning the organization’s sensitive data?
- How does each vendor fit into the organization’s overall strategic plan?
- If this data is breached, manipulated, or lost, what is the potential impact on the organization?
These questions show how third-party vendors become intertwined with business operations. Once you embark on this assessment, you will discover that many vendor relationships are critical to the organization and its strategic plan. Therefore, the organization views these vendors as strategic partners, and their operations and strategic viewpoints are consistent with their own. However, keep in mind that this doesn’t make them less risky. On the contrary, they often bring greater risk exposure to the business because they are deemed critical to the organization’s strategic plans and would significantly impact those plans if unavailable.