sdecoret - stock.adobe.com
How to shore up your third-party risk management program
A third-party risk management program has to go beyond questionnaires and poorly designed policies. Learn what you should do to protect yourself against vendor security flaws and core risks.
Few aspects of information security are getting as much attention as vendor management these days. At the heart of third-party risk management oversight is anxiety on the part of business executives and security professionals, and it's hard to blame them. One little security flaw in a vendor's infrastructure could create a massive security incident or breach that could have otherwise been prevented. And when there's a lot riding on something largely out of the organization's control, it gets attention.
Now as more board members, executives and lawyers get involved in the security function, vendor risk and management is front and center. Many of the recent big breaches came at the hands of vendors that didn't adequately protect their own systems. The result created exposure on what might have otherwise been resilient network systems. Still, with all the movement around third-party risk management programs, certain oversights still need to be addressed, and soon.
When organizations assess the risks associated with third-party vendors, many necessary, yet insufficient, aspects of the process are always part of the conversation.
Top third-party risk challenges and solutions
Moving on from security questionnaires. The use of increasingly complicated security questionnaires filled out by the security team or nontechnical sales and marketing staff isn't enough to get at what enterprises really need to know as part of a third-party risk management program. Yet questionnaires are often all that's used to "verify" a vendor's security. More a tool for going through the motions and even protecting the self-interests of those asking the questions, security questionnaires get that box checked. Unfortunately, they often paint a false picture of security in the organization.
A better alternative is to conduct interviews with key staff. I have found frontline IT and security professionals very forthcoming in their knowledge of known security gaps and weaknesses. Empty promises are often made during the sales cycle or contract negotiations with vendors, but if you speak to the right people, it becomes clear how things really work. Questionnaires are a good start, but depending on them exclusively is the first and perhaps most common step in setting your business up for security failure.
Vendor security documentation needs to reflect reality. In security, talk is cheap. I've reviewed thousands of policies that govern a variety of security subjects, and they are all predictably similar. They say the same things, and they're rarely enforced. Documentation creates the illusion that all is well in third-party risk management security, but that's hardly ever the case. Most policies mean nothing, and it's often because IT and security teams documented the policies without the full buy-in at the highest levels of the business. In many cases, no one else, not even management, knew about them or cared to enforce them. Organizations shouldn't let paperwork representing a vendor's security program translate into emptypromises that if unacknowledged, turn into security trouble.
Weak contract management. Most organizations I have consulted with don't have a formal and cohesive contract review process overseeing security-related contracts. Sometimes these contracts are reviewed by purchasing staff, sometimes by legal counsel. At other times, technical staff and nontechnical management review contracts. The challenge is that business decision-makers and those in charge of security are often not on the same page with security standards and oversight. In many cases, they agree to terms and conditions they know nothing about or can't back up with security controls and oversight. Vendor agreements have a lot of moving parts, and in some cases, purchasing and legal will agree to one thing, while IT and security teams are off doing something else. The result could be a security incident or breach in the making.
Assuming proper security testing has been performed. Vulnerability scans are part of an information third-party risk management program, but they're not enough to evaluate actual risk. Similarly, it's not uncommon for full vulnerability and penetration testing reports to paint the wrong picture of how things are. This is arguably the biggest challenge in terms of vendor management. Vendors will claim they are doing X, Y and Z, or that rudimentary testing will be performed even by the organization. But the devil lies in the details of the flaws that have yet to be uncovered by someone with bad intent.
Information security, as it relates to third-party risk management, is complex. Yet the core risks can be simplified into the following:
- Where policies exist, they're not being precisely followed.
- Where technologies exist, they are underimplemented in many ways.
- Where vulnerability and penetration testing has been performed, the odds are near 100% something has been overlooked either in the scoping process or the testing itself.
Gaps and risks are often a case of setting expectations improperly. This means not clarifying and fully spelling out what's expected of both parties (your business and the vendor) in terms of intellectual property ownership, incident response practices and shared security efforts when needed. These issues often occur because some of the people involved try to rush things along too quickly just to get the deal done and to say that due diligence is complete.
Get a grip on your downstream security liability
Getting a handle on downstream security liability has been a struggle for businesses for decades, and the need for it has finally come of age. Shore up your third-party risk management program. Don't let a vendor's security weakness become one of your own. Look past the promises of ISO, NIST and SOC compliance. You're never going to know 100% about your vendor's security vulnerabilities. The important thing, however, is to go beyond the checkboxes and follow that tried-and-true security principle: trust, but verify. Don't be afraid to push for good information. This isn't about being nice; it's about protecting your business.
Get the right people together and ask the tough questions to hold your vendors accountable -- now and moving forward. They don't have as much interest and buy-in on your security posture as you do. Like anything else in security, when done periodically and consistently, your efforts can and will have a positive impact on your security program over time.