Editor’s note: This guest article is from Sam Olyaei, a VP at Gartner, where he advises CISOs, CIOs, chief risk officers and non-IT executives on maturing their security and risk practices.
To address business exposure to third-party cyber risks, cybersecurity and IT leaders must engage stakeholders to define a policy, identify hazards and promote predefined mitigations.
CISOs should not promote the termination of valued third parties, but rather be more assertive around their expectations for third parties, including the minimum standards or controls required to protect the organization from unacceptable risks.
Define a third-party risk policy and scope
Third-party cyber risk management cannot be achieved in isolation. To be effective, it must involve business leadership, procurement, supply chain, legal counsel and other relevant stakeholders to set expectations, make decisions and enforce standards.
Cybersecurity leaders can begin by identifying the scope of the third parties with whom the organization works. This may include vendors and IT suppliers that operate on the network, but also customers, supply chain partners, business partners and even regulators.
The second step is to separate low-risk third-party engagements from high-risk engagements. This should be a collaborative exercise with the risk committee or board of directors to determine which cybersecurity risks the organization is willing to accept.
For example, the organization may accept the risk of third parties storing confidential business information unencrypted, but it may not accept the risk of customer data being stored unencrypted. Target the third parties that are identified as posing the most significant risk within a business context.
Next, develop minimum standards or non-negotiables based upon risk scenarios, such as: “All customer data must be encrypted in transit and at rest,” or “All personnel who access our systems must have a criminal history background check.”
These standards can be shared internally and externally, incorporated into procurement engagement requests, published on external-facing sites and/or incorporated into third-party codes of conduct.
To bring it all together, document a high-level policy for third-party cybersecurity risk. This clarifies for business, procurement, IT and stakeholders which types of third parties warrant investigation, what the expectations are and how their capabilities will be assessed.
Adopt a triage approach to in-scope third parties
Many regulations require the assessment of third-party security capabilities. However, sending vendors questions about their security controls does not guarantee that the controls are consistently applied, that they won’t fail in the future, or that they are fail-proof.
It also forces CISOs to expend considerable effort on analysis rather than on addressing potential risks.
Most regulations require analysis to be commensurate with the size of the third party’s threat. A triage approach can help CISOs conduct the appropriate level of analysis to determine associated actions.
For each party, consider:
- Do they access, store or process sensitive or customer data?
- Do they access the enterprise’s technology network – virtually or physically?
If the answer to these questions is no, then security checks may not be needed. If the answer to either or both is yes, then the next step is to determine necessary mitigations.
For example, a third party that stores confidential data and customer data and which has access to internal systems would be considered in a “critical” cyber risk category.
The prescribed action for this category may be a standardized information gathering (SIG) survey, ISO/IEC 27001 or SOC 2 Type 2 certifications, and/or a physical audit.
On the other hand, a third party that is storing confidential business data but not customer data and which does not have access to systems may be in a “medium” category and would require a passive perimeter scan, perhaps using a security ratings service.
Encourage stakeholders to incorporate these checks into engagement with third parties.
For instance, procurement can include assessment requirements in engagement requests to vet higher-risk third parties before their functional capabilities are evaluated. Legal can include contractual clauses for certain scenarios, such as requirements for encryption standards, notification of breaches, certification reports and remediation of identified control gaps.
These actions help institutionalize third-party cybersecurity controls into the organization’s business processes.
Develop predefined actions to address risks
Despite significant investment in measuring third-party cyber risk, most assessments result in no action. There is often a disconnect between the analysis findings and the CISO’s ability to communicate actions the business can take.
A set of predefined actions can help CISOs mitigate the most common third-party risk scenarios by providing real solutions to the business.
For example, if the identified risk is that the third party does not encrypt sensitive data, potentially exposing sensitive customer records, the action could be for the business to encrypt data through bring your own key (BYOK) – or, it could be to terminate proceedings with the third party.
Create your own list of risks and mitigations and build on it over time.
Implement a plan for monitoring and reporting
Third-party risk monitoring and reporting must be an ongoing progress. Many CISOs already monitor some third-party cyber risks, such as those from IT vendors.
However, this shouldn’t be an activity for which CISOs are solely responsible. A best practice is to use a mix of governance, services and third-party self-reporting.
Implement a plan for monitoring and communicating third-party cyber risks by allocating resources to manage the cyber-risk register, respond to changing risk factors or events and report risks to relevant stakeholders.