Un-easy Riding with 3rd Party Risk

April 14th, 2017
Ed Snodgrass, CISO, Secure Digital Solutions

I enjoy riding motorcycles and have been riding for several years. One concept that I’ve repeatedly heard (and experienced personally) regarding safety is that if you’re a responsible, rider the main concern isn’t you, it’s the drivers around you who don’t exhibit the same level of diligence. Sure, you can take precautions to limit your risk of an accident – hand signals, proper separation, anticipation – but ultimately you can’t control or predict what the vehicles around you are going to do. You can only influence them.

From a security standpoint, we can look at 3^rd-party vendors and suppliers in much the same way. We can build a rock-solid security program and provide requirements to our vendors that they must comply with, but ultimately, we can’t control what they do. All we can do is influence them. A Soha Systems Survey on Third Party Risk Management notes that 63% of all data breaches can be attributed to a third party vendor. Does that mean that 63% of the affected security programs are insufficient? Probably not. Why then, is that statistic so high?

Because vendor management is a complex task, and an effective program requires answers to many questions, like:

• Do we know how many 3^rd parties there are across the enterprise?
• Do we know who our highest risk vendors are today and why?
• Is our screening process effective?
• How much of our process is automated versus subjective?
• Do we treat 3^rd parties that are a ‘sister’ or ‘parent’ company differently?
• Do we know how our 3^rd parties have performed against our standards over time? What are the metrics?
• If a 3^rd party outsources to other vendors, are they included in our security qualification/certification?
• Do we have visibility into our 3^rd parties’ security strategy?
• Does our cyber insurance cover 3^rd party exposure?
• Do our contracts give us rights to audit?
• Do we use NDAs?

If this list seems overwhelming, it can be.  Recognizing the questions that need to be answered is just the first step.  Being able to answer them is the second.   Assessing, evaluating and monitoring your 3^rd party vendors is the last step and gives you the visibility and influence needed to ride safely.  Many companies address this challenge by applying human capital.  This creates inefficiencies and generates inconsistent results.  We work with our customers to apply a standard methodology that generates repeatable scoring trends, allowing vendor risk to be measured beyond compliance. In our conversations with vendor management experts, they repeatedly highlight the importance of gauging the capability and expertise of the organization’s vendor security team. To achieve this level of insight based on a standard scoring methodology, customers are using the value obtained through a maturity approach to measure 3^rd party security.

After all, like riding a motorcycle, we can’t control what 3^rd parties do.  But we, as security leaders, can gather relevant and actionable information using standard scoring to minimize risk and reduce the likelihood of an accident.

See how by taking TrustMAPP for a test drive.