Is Third-Party Risk is becoming a priority?
Carmine Valente
VP and Head of Information Security Risk at Paramount | Speaker | Founding Member - AI Ethics and Policy Think Tank (AIEPTT)
Not one day passes by without a new cyber-attack making the news and triggering questioning from executive leaders and members of the board. Small and large organizations from all industries are impacted, giving life to interesting case studies to be discussed during cyber risk and privacy classes.
There are many reasons why TPRM has become an essential component of the cyber risk management domain. A few of them are summarized below.
1 - Companies pay more attention to what they can directly control
With the threat environment becoming every day more complex, CISOs have to pick their own battles choosing wisely the focus of their investments. This usually translates in securing what can be directly controlled from the inside, often relying on legal obligations and liabilities to protect themselves from third-party related risks. All of this to realize that contract’s provisions are usually just a deterrent and very few circumstances are florid enough to initiate a legal battle with a third-party service provider.
A great focus is so placed on defining and monitoring what employees can or cannot do without paying too much attention to non-employees who often have equal if not greater access to the System. This creates a very florid ground for attackers who intend to leverage third parties as their main attack vector.
2 - Very few companies have an accurate inventory of their vendors
You cannot control what you don’t know. With the increasing offer of subscription-based packages, many companies find themselves losing track of the many service providers which they are engaging with on a daily basis. It’s usually much easier and cheaper choosing the one-click acceptance of Terms and Conditions versus the long and often excruciating contract negotiation process. This is why even large corporations often strive to dissuade business stakeholders from individual subscriptions. It’s no secret that many companies don’t have an accurate vendor inventory and often rely on employees to let them know what vendors they choose to deal with.
Recommended by LinkedIn
In this scenario, having an effective third-party risk management program is critical to enable internal communication and catch providers hidden in the depths of the corporate organization.
3 - The matryoshka effect
Traditional third-party risk management programs focus on evaluate the security posture of external organization directly providing services. But what about who’s providing services to the service provider?
Often called fourth parties, these organizations can be as critical as a risk vector, as third parties are. But then, where do we draw the line?
As looking into each service provider “doll” would be unpractical and pretty much impossible, an effective third-party risk management program will allow monitoring how risks generated from fourth parties are evaluated and addressed, reducing the chance of being attacked through this alternative attack vector.
Conclusion
These are only a few of the reasons why TPRM is becoming a critical bullet point on the cyber risk management agenda, making it one of the most discussed topics during board meetings, and driving a significant part of the overall cyber spending. CISOs have the hard task to choose where to draw the line when it comes to third-party risks and eventually bear with the consequences of that choice.