In today’s highly connected business ecosystem just about every business outsources some aspect of their operations. But it’s becoming increasingly difficult for organizations to ensure that third-party providers remain a source of strength for their business and don’t become a weak link for cybercriminals to exploit. As a result, managing third-party vendor cyber risk is fast becoming the defining cybersecurity challenge of our time. As organizations continue to increase the number and variety of suppliers they work with in the pursuit of competitive advantage, they have simultaneously exposed their enterprise network to the vulnerabilities of those partners.
To this point, according to Deloitte’s latest 2020 Third Party Risk Management Global Survey, around half (50 percent) of respondents said that the financial impact of failure across a third-party or subcontractor has at least doubled in the past five years. In fact, one in five respondents believe the financial impact has multiplied tenfold. That’s because working with third-party vendors is inherently risky — you are trusting a business whose practices and processes you can’t control. And as businesses utilize third-party vendors more and more often and at a larger scale, the data security and privacy risks they face will grow exponentially.
Consequently, there has been a rise in regulatory activity related to third-party cyber risk management which has put more pressure on organizations across all industries and countries. This, in turn, has rapidly raised benchmarks and expectations around third-party cyber risk management.
But whilst being more aware of the need to be a responsible business, organizations are increasingly concerned about the rising cost of getting third-party cyber risk management wrong and making sure they are spending money where it matters. So how do you move cyber risks in your supplier ecosystem from the unknown to the known?
Are questionnaires alone sufficient anymore?
Many organizations still rely heavily on supplier questionnaires and other point-in-time or manual processes such as onsite audits and vendor self-assessments to calculate cyber risk, as well as processes that are not verifiable or evidence based. This is often compounded by the relative infrequency of such auditing and reporting compared to the fast-changing cyber threat landscape. In my experience, real-time, daily and/or continuous cyber risk auditing is rare, however this kind of visibility is key to understanding what is happening in your ecosystem, otherwise months could go by without oversight around threats and cyber risk.
That said, scale is a major problem for most organizations. The sheer volume of data, the accuracy of that data, and knowing what to prioritize and which suppliers to monitor, is why so many organizations only track their critical or tier one vendors, and only do this periodically, which ultimately leaves a longtail of suppliers to which the organization is relatively blind. It only takes one of these to have a weakness that can be exploited by a threat actor, and a breach becomes highly likely. This scenario presents substantial unknown risk and, if the business doesn’t know about it, it can do nothing to prevent, mitigate or transfer it.
There is evidence to suggest that more budget and resources are being allocated to the problem to shift the dial on third-party cyber risk management, but much depends on the business case for increasing budgets and how organizations plan to allocate resources to materially improve cyber risk management. Many firms have so many different concerns about their third-party cyber risk programs that they struggle to work out where to start. However, the frequency of third-party cyber breaches and tactics like island hopping are testament to the fact that current approaches are not sufficient, so simply doing more of the same is not going to deliver a different outcome.
You can only scale if you automate
Most organizations have hundreds if not thousands of vendors in their supplier ecosystem, which means that it is near impossible to monitor all of these unless you have automation in play and a data-driven approach. To effectively monitor the longtail of vendors, you need a consistent approach, automated business rules and processes and the ability to prioritize and triage to swift remediation. Therefore, you need a way to identify the clear signals and reduce the noise and the false positives. Likewise, any risk management program needs to map to standard controls and security frameworks such as ISO, NIST etc, but it also needs to accommodate your own risk appetite and risk threshold and tolerances. That said, having better cyber risk monitoring in place will certainly help to minimize the likelihood and or the impact of a cybersecurity breach.
Likewise, if you are completely devolving the responsibility for fixing cyber risk issues to suppliers, you are in effect relinquishing control as you cannot confirm that the supplier has acted to rectify the problem. However, in my experience, a big part of the problem is that when firms highlight a problem with suppliers, the information they share often lacks specifics and doesn’t inform the vendor of the steps they need to take to resolve the issue.
Who owns cyber risk?
This is all compounded by a much deeper problem around ownership of third-party cyber risk and one that is evident with many firms that we work with: cyber risk is caught in a silo, with organizations attempting to partition it from other areas of business risk. In fact, the business owns the risk, CISOs or CIOs may be its custodians, but when a cyber risk event happens it is the business that feels the impact in terms of its ability to function, or the effect on its reputation or finances.
There are two potential solutions. First, a single executive is designated owner of all supplier risk, which at times we see happening where heads of compliance, or legal divisions have responsibility. This has limitations, as these departments invariably bring their own lens to risk management. The alternative, which we advocate at BlueVoyant, is that cyber risk is integrated fully into business risks and owned at board and business unit levels and the risk tolerance of all stakeholders is incorporated into cyber risk management so there is a working balance between productivity, protection, continuity and compliance.
The threat landscape is more connected, sophisticated and democratized than it has ever been. Consequently, the regulatory environment is increasingly complex and punitive and where financial, operational and reputational impacts of breaches are severe, therefore managing third-party cyber risk is a business imperative. Getting to grips with this now, moving your knowledge of cyber risk with suppliers from the unknown to the known, planning for the appropriate action and managing through to resolution across the entire vendor ecosystem must be a priority.
Ewen O’Brien, Head of Third-Party Cyber Risk Management, BlueVoyant