Information Security

Defending the digital infrastructure

nobeastsofierce - Fotolia

CISOs face third-party risk management challenges

Security professionals understand all too well what's at stake, and that's why more companies look to tighten up security with third parties.

The Options Clearing Corp. in Chicago runs one of the largest equity and derivatives clearinghouses in the world.

Major trades don't get finalized until they have been cleared by the OCC. So the company's fundamental purpose depends on creating secure relationships between all the parties in a trade.

With so much riding on the security of the OCC's IT systems, maintaining third-party risk management and strong relationships to prevent bad actors from sneaking in and stealing important financial data has become more important than ever. 

Mark Morrison, senior vice president and CSO at OCC, said the equity derivatives exchange has tightened up its access management policies with third parties in the past several months. "Moving forward, companies can't just come into our system remotely," Morrison said. "We set up a system so the third party has to authenticate itself every time it comes onto our network."

Mark Morrison, chief security officer, Options Clearing Corp.Mark Morrison

Morrison added that CISOs should request their critical third-party partners conduct an independent assessment of their security controls similar to what's contained in a Service Organization Control 2 report. The SOC 2 report meets the security requirements outlined by the American Institute of Certified Public Accountants.

"What I'm finding is that the financial industry and many other sectors are at a point where the defense industry was eight or 10 years ago," Morrison said. "The financial sector has put a lot of emphasis on third-party risk the past few years, as [have] both the healthcare and retail sectors. In a lot of cases, what we're looking for is to find our weakest link."

Too many third-party incidents

After the Target breach in 2013 and the third-party security incidents at Home Depot and J.P. Morgan not long after, security professionals began taking a closer look at third-party risk management. They had no choice. The events at Target lead to the firing of senior managers at the company. J.P. Morgan spent millions on remediation.

But Target was just the beginning. In the last year, Experian partner Alteryx exposed the sensitive personal data of 123 million U.S. households that were stored in misconfigured Amazon Simple Storage Service buckets. And the Republican National Committee's partner Deep Root Analytics exposed the sensitive data of 198 million American voters along with an inside view of the RNC.

These incidents demonstrated that third-party risk management was not just something the large banks, defense contractors and automobile companies had to worry about. Sure, these large organizations manage hundreds, if not thousands, of third-party relationships, but it's now become clear that all businesses must pay closer attention to the security of their business partners and third parties.

A recent survey by Forrester Research found that third-party incidents were the cause of 17% of confirmed breaches in 2017, a number that underscores the cybersecurity of business partners and third parties as a significant vulnerability. The Forrester survey also found that 65% of security professionals rated ensuring that their business partners and third parties comply with their internal security requirements as a high or critical priority.

Source of breaches according to a Forrester survey

"During the past two years, third-party risk has become a top priority for many CISOs," said Nick Hayes, a senior analyst of security and risk at Forrester, and one of the authors of the survey. "And it's a much broader issue than most people think. Hospitals have had issues with all the IoT devices they are deploying, all those sensors open up third-party risk. And the entertainment industry has had issues with third-party risk."

Moving off paper questionnaires

Nick Hayes, senior analyst, Forrester ResearchNick Hayes

Forrester's Hayes adds that large organizations especially have a tremendous challenge in managing third-party relationships. Some large organizations may have 300 to 400 suppliers, and the large defense contractors could be doing business with well in excess of 1,000 suppliers, sometimes 5,000 to 10,000.

Today, companies send out spreadsheet-based questionnaires that the compliance professionals in the procurement department must manage and manually review. It's very cumbersome and a real burden to the third parties, all of which are bombarded daily with audit requests.

"Compliance professionals spend too much of their time on data collection around third parties," said Fred Kneip, CEO of CyberGRX. The third-party risk management provider, along with CORL Technologies, Panorays and Whistic, has pioneered the "exchange" concept in which an independent company conducts internal audits of vendors and issues a risk score. The goal: relieve the paperwork and management burden on the compliance professionals in large enterprise procurement departments.

CyberGRX collects and analyzes data based on the following foundational security questions: Does the company have a patching program? How often do they patch? Do they run penetration tests? Does the company have a phishing training program? How does the third-party vendor deal with employees who leave? Does the law firm the company works with run background checks on the cleaning staff?

We set up a system so the third party has to authenticate itself every time it comes on to our network.
Mark MorrisonCSO, Options Clearing Corp.

Khushbu Pratap, a research analyst at Gartner, predicts that by 2021, random questionnaires, certifications and attestations will be replaced by industry-specific consortiums that organize third-party security assurance practices. These organizations will serve companies that are stretched thin, meeting the increased volume of due diligence activities.

"These consortiums will act as mediators for customer and vendor organizations' needs and limitations," Pratap wrote in a research note last year. "Vendor organizations can undertake independent assessments, based on agreed-upon industrywide requirements. They can then share the report with authorized members of the consortium. The consortiums may also supplement such reports by leveraging scoring services providers for ongoing, high-level diligence based on publicly available information."

Pratap added that there's a real need to ease the burden on compliance professionals: She estimated that more than 50% of IT compliance professionals spend 25% of their time evaluating third-party security controls.

So while new tools can help organizations with third-party risk management, in the end, most third-party security incidents are caused by a vendor's failure to follow fundamental security practices. Earlier this year, the Online Trust Alliance found that 93% of breaches are preventable. The vast majority are caused by the following issues: lack of a complete risk assessment, including of third parties; lack of a proper patching program; misconfigured devices and servers; poor encryption programs; failure to block malicious email; and the absence of security awareness training. Insist that your third parties have programs in place that do that, and you'll be well on your way to sleeping better at night.

Article 4 of 6

Dig Deeper on Risk management

Get More Information Security

Access to all of our back issues View All
Enterprise Desktop
Cloud Computing