With supply-chain cyber threats on the rise as a result of the pandemic, our expert panel discusses the best third-party risk management processes and how businesses should best address a partner breach
- Mitch Parker, CISO, Indiana University Health
- Rick Doten, VP, Information Security, Centene, and CISO, Carolina Complete Health
- Marian Reed, Former Head of IT Security, Serta Simmons Bedding
- David Levine, VP of Information Security, Ricoh USA, Inc
The Importance of Risk Management
Working with third parties helps businesses increase their productivity and efficiency, produce better products and services, and reduce overheads. However, all of these benefits come at the price of increased cybersecurity risks, as some third parties may not take their network security as seriously as you want them to.
A compromised subcontractor can easily be turned into an entry point for cybercriminals, as we saw in the recent cyberattack on Texas-based software company SolarWinds. In early 2020, hackers breached the company’s ORION platform, which enabled them to successfully spread malware to more than 18,000 companies and government agencies in the US.
Although the risks of working with subcontractors have never been more apparent, the number of third parties organizations work with, as well as the amount of sensitive data disclosed to them is increasing every year. The same goes for data breaches caused by third parties: a recent survey conducted by the Ponemon Institute reveals that 51% of organizations have experienced one or more data breaches caused by a third party, costing an average of $7.5 million to remediate.
With that in mind, third-party risk management (TPRM) – the process of determining, analyzing, and managing third-party risks – has never been more important. During our recent CISO US Live session, our panelists shared some of their best advice on how this process should work.
The Questionnaire Trap
While risk management is of growing importance for organizations, many continue to rely on legacy processes, including the use of questionnaires, which could give companies a false sense of security. David Levine, VP of Information Security at Ricoh UK, says this decades-old ‘checkbox’ exercise no longer makes sense in the fast-paced cybersecurity world.
“Applicability in risk is sorely missing. I get questionnaires all the time that make no sense given what we’re doing for the potential partner,” Levine says. “I think the process is bad – some of the questionnaires are terrible; they’re too long, or go in the wrong direction, and don’t let you answer the question in a meaningful way.
“What’s more, the people we’re dealing with all too often aren’t security, government, or risk people. 99% of the time it’s Procurement, and they have no idea what they’re looking at,” he added.
This is a viewpoint shared by Marian Reed, Former Head of IT SecurityatSerta Simmons Bedding, who believes questionnaires no longer help organizations to identify ongoing risks.
“We also need to think about the fact that a lot of vendor questionnaires get sent out annually,” Reed says. “Think about the environment that you are surveying – that environment is constantly changing, so doing an annual survey isn’t appropriate.”
Mitch Parker, CISO at Indiana University Health, agrees and believes risk management processes should focus much more heavily on international standards that give companies a much more reasonable degree of assurance their vendor is providing a secure service.
“One of the biggest pitfalls is the questionnaire trap. If you’re sending a questionnaire, you’re taking an engineer off of actually doing security, which makes no sense,” Parker says. “You only have a questionnaire if you can’t provide the documentation that shows you’re mitigating risk.”
He continues: “You have to take a look at what the actual risk is of what the actual vendor is doing. Look at whether they have a risk management program and processes that adhere to good international base standards.”
Scaling Continuous Monitoring
As well as a shift towards universal standards, the panel believes that the future of risk management will be a continuous approach – one that is performed on an ongoing basis and forms an integral part of day-to-day management.
“You need to build a partnership with your key vendors,” says Reed. “Make it a continual relationship. When you go through and do a security assessment with them, and you identify the methodologies they are using, there should be some way that you can implement that ongoing reporting. Maybe it’s even getting on a call with them for an hour every quarter.”
He continues: “I think you’ve got to build out that continuous monitoring. It’s going to look different for every vendor, so you can’t take it’s not a cookie-cutter approach. You have to individualize the management of the supplier.”
This approach, which some believe will ultimately be led by technologies such as artificial intelligence (AI), isn’t without its challenges, however, particularly for those with a large number of third-party partners.
“The challenge that we have is about scale,” adds Doten. “We have a hundred thousand providers, not to mention all of the 50 state health plans that have all of their vendors, so how do we scale them?”\
Doten believes investing in cybersecurity, particularly in the form of cyber insurance, could be one of the ways that organizations can begin to scale.
“Insurance is one way. Cyber insurance companies are now being much harder on providers because it’s been a tough year for them,” Doten says. “They’re stepping up what their requirements are, and a lot of the time, having that insurance is one of those requirements. We need to come up with some standards that are universal, scalable, and cater to different businesses, otherwise, cybersecurity insurance will start dictating these standards.”
Ricoh’s Levine, too, believes cyber insurance is a tool that organizations should embed into their risk management processes – though warns that there is still got a long way to go.
“The whole insurance space continues to evolve,” Levine says. “When we went to do our renewal this year, they were diving into very specific technologies and processes. I think it’s a good thing, but we’re not where we need to be in that realm and things get complicated once you get past the third party.”