One of the greatest risks to information security today is third parties sprawling throughout an organization’s supply chain. Target, The Home Depot, Anthem, the United States Office of Personnel Management—in all of these headline-news data breaches third-party vendors contributed to the breach. But these are just the ones that caught the eye of the media. To strengthen a company’s resilience to these threats, company leadership must advance their supplier management program to include a risk-based information security management program.
On August 10, Stroz Friedberg hosted a webinar seeking to provide organizations with insights and data that would help them build a comprehensive cyber risk management program into their existing vendor risk management programs. Participants in the webinar included William Dixon, Vice President, Stroz Friedberg; Michael Schell, Strategy Vice President of DatumSec, a provider of third-party risk assessment solutions; and Valerie Vizena, Third Party Risk Director for DocuSign, which empowers users to sign, send, and manage documents digitally. This blog post features takeaways from this presentation. For a copy of the full presentation and recording, please contact: William Dixon.
A key step in this evolution of supplier management is education from the top-down. Company leadership must deeply support this endeavor. Risk management assessments, by their very nature, slow business down, Vizena said. Management may urgently need a new supplier of widgets, a new payroll management service or a new point-of-sale system; but when a company has a robust risk management program, the process of evaluating the vendor takes time. For this risk and reward balance to be approved, leadership must advocate the reduction of risk over immediate short-term results, she said. Central to gaining this kind of support is teaching the powers that be the value of cyber risk management, based first and foremost on an understanding of the risk itself.
A company’s third-party risk primarily comes from two directions: a vendor’s access to sensitive data and its access to the network. Companies often misclassify their vendors’ risk levels, focusing myopically on the size of the business or contract, and the type of information being shared. Small- and medium-sized businesses (SMBs) often are overlooked as cost-prohibitive to assess and the benefit of reviewing their security is not seen as outweighing the risks they present. But this assumption could not be more flawed. SMBs present significant risk to the organizations they work for, largely because, unlike a Fortune 500 firm, they do not have the resources (technology, staff, training, etc.) to ensure their own cybersecurity and that of their own suppliers. And yet, just like the bigger businesses, they may be handling their clients’ sensitive data or have access into their clients’ networks, Vizena pointed out.
DatumSec demonstrated SMBs’ weakness in cybersecurity management by revealing the results of an eye-opening study where they assessed hundreds of small- and medium-sized businesses. DatumSec evaluated the businesses against two major measures: the security of their external posture, which includes the configuration of their domain and email, for example, and the security of their internal posture, referring to security issues managed internally like password strength, the installation of software updates, and remote workers. Nearly one quarter of the companies’ external postures were given a failing grade, and, of this group, none passed the internal security test. Meanwhile, of those that exhibited good external posture, still more than half failed the internal security test.
Organizations must begin to assess their supply chain based on the real risk suppliers present, rather than a more arbitrary risk measure such as contract size. And this more enhanced type of supplier identification process should merge into a more enhanced review of the vendor’s cybersecurity operations. Vizena said, in the past, when cyber was incorporated into a supplier risk management program, the approach was very “check-the-box”. Are they PCI-DSS compliant? Check. Are they HIPPA-compliant? Check. Often this process was completed only once, upon hiring the entity. But compliance does not equal security and a moment-in-time “evaluation” doesn’t always line up with the changes in business relationship, access to systems and data, and the threat landscape.
Stroz Friedberg firmly believes in risk-based, third-party risk management programs that are standardized to enable scale — touching both SMBs and larger businesses — but that are in-depth enough to draw out meaningful revelations. The assessments should involve verbal interviews with company leadership and information security executives, quantitative measures such as those that track cyber risk, and thorough due diligence looking into both the public record and, when necessary, tapping local sources. In the best case scenario, the results of this assessment should be rolled up into a risk score, enabling organizations to directly compare the risk level of their various relationships and understand where controls for mitigation should be implemented.
Again, it must be reiterated, that all of this depends on the buy-in of leadership. Third-party cyber risk management must be managed across the enterprise, above and beyond silos. It must be evangelized by the individuals assessing performance so that short-term rewards do not compromise long-term, existential risks. And, it’s essential for building a culture that values security — a perspective that can transcend one’s own company extending to others with which it does business.