by_adr - Fotolia
An organization's security posture is only as secure as its third party. A single unknown flaw in a vendor's infrastructure can expose an organization to serious security incidents. Gartner researchers found 83% of organizations that employ third parties for business services identified third-party risks after conducting due diligence. It's easy to understand how this makes infosec teams and executives alike experience anxiety at the thought of third-party risk management.
In order to validate a third party's cybersecurity technologies and policies, organizations have a list of tired options at their disposal. By relying on outdated or insufficient measures to conduct risk management up and down the supply chain, organizations are left vulnerable. Learn how to improve accuracy of security questionnaires, interview third-party employees about risk and rethink third-party risk management best practices in this changing threat landscape.
Compiled here are three insightful articles that arm organizations with expert recommendations and updates to their risk management toolkit.
Implement supplier evaluations to assess risk
There are many methods of evaluating risk when engaging in a business relationship with a third party. One way to conduct vendor risk management is to assign suppliers a form with questions about their security practices and policies. This gives organizations more context and a metric with which to compare different suppliers before choosing one and awarding them a contract.
SearchSecurity sat down with Enterprise Strategy Group analyst Jon Oltsik, who prescribes this method. He recommended this evaluation be done at least annually. He also explained how a surprise audit on the third party, to be completed at the organization's discretion, can identify potential risks.
Learn more about Oltsik's recommended third-party risk management best practices and how to more accurately assess supply chain risk.
Risk assessment beyond security questionnaires
As breaches land companies far and wide in headlines and hot water, an increasing amount of board members and administrators have begun participating in security functions. A focus on third-party risk in the boardroom is clear, but the best methods of evaluating risk may not be as obvious.
Standard risk assessment tools involve third parties filling out security questionnaires. But these can provide false or incomplete versions of the security landscape. Instead of using security checklists just to go through the motions of auditing, expert Kevin Beaver advocated instead for interviews to be conducted with relevant third-party staff. This is a better way to get insight into potential security weak spots in the supply chain.
Learn how organizations must reform security audit processes and how they should evaluate their own downstream security liability.
Modernizing third-party supply chain policies
The technology landscape is advancing quickly. Nemertes Research reported that 2019 is the year in which the majority of workloads are conducted in the cloud as opposed to on-premises data centers. The seismic shift to cloud and mobile necessitates three major changes to infosec professionals' third-party risk assessment best practices.
First, do not take a supplier's response during audits at face value. Second, use automation to conduct detailed audits at least annually -- and simple checklists will not do. Additional audits should be implemented any time the supplier makes significant changes to its technology. Third, the risk management process should be recognized as a unique and vital discipline.
Learn more to create a well-funded and focused team of specialists that can implement these important updates to third-party risk management best practices.