Building The Business Case For Enterprise Third-Party Risk Management (TPRM)
Third-party Data Breach Incidents Trigger Enterprise Triage For RFPs And Contracts
Businesses have been given a revised charter – call it digital transformation, an innovation culture, or simply enterprise change – to create long-term value, competitive advantage, and derive new cost savings for shareholders. To meet these objectives, organizations are increasingly reliant on third-party vendors, suppliers, and service providers to scale efforts beyond current personnel headcount.
Third-party partnership has been accelerating in terms of how enterprises do business today. This is especially true as enterprises must be compliant with various federal and state regulations. Data mismanagement is no longer a reflection of the enterprise security perimeter, but extending to include data sharing over new technologies and third-party services. Enterprises must address the growing requirements in data sharing and risk monitoring. Initial approaches must evolve beyond data collection and drive change in vendor behaviors.
Many examples of organizations having to respond to a data breach demonstrate the need for security teams to initiate a cyber plan beyond the physical perimeter. They must now also provide the leaders of the organization with the information necessary to justify the expense of managing risk from third-party agreements. In addition to strong technical acumen, security leaders must also be able to speak to core business values.
An annual survey from North Carolina State University’s Poole College of Management Enterprise Risk Management Initiative in April 2019 found the top four reasons that business executives are pursuing extended enterprise risk management (Third-Party Risk Management or TPRM) are:
- Cost reduction – Partnering with external service providers to manage data storage, analysis and marketing enables the enterprise to focus on core competencies
- Reduction in regulatory exposure – A consistent process that is documented and reported by a third-party service allows the organization to “plug in” activities without adding complexity to the organization
- Addressing internal compliance requirements – The use of 3rd party services does not remove the responsibility for an organization to demonstrate regulatory and data privacy compliance
- Reduction in the number of third-party related incidents – A change in the security perimeter requires organizations to involve the security team to assess the capabilities of external partners and establish oversight and testing that ensures a like-minded security posture to the organization
Potential concerns from outsourcing critical, organization-wide matters has resulted in decentralized organizations scaling back in favor of centralized ownership and management of third-party risk to mitigate these concerns.
When describing third-party risk management to the board of directors or executive team, it must be clear of the risks that it presents to the corporate brand along with the goals that the security team is taking to mitigate the identified risks. “The goal is to set expectations, such as what are your metrics that will be used and the defined reporting periods,” says Michael Welch, CISO for OSI Group. “The security leader needs to bring in the business stakeholders and discuss the risks that third-parties present to the company, especially in a privacy world.”
With GDPR, your organization has controllers and processes that define each third-party and the data it holds to determine if there is any privacy concern. If no privacy concern exists, your organization still must understand what data third-parties have, how they use it, and what steps they are taking to protect the data. “This is especially true as businesses are moving to a cloud first position,” continues Welch. “As we continue to expand the perimeter, we are increasing our enterprise’s risks.”
“As we continue to expand the perimeter, we are increasing our enterprise’s risks.” Mike Welch, CISO, OSI Group
Multiple emerging technologies are driving the use of third-party services. In the NC State survey, cloud technologies were most often cited amongst respondents as a means to enhance operational flexibility for a business unit or department. This was followed by robotic process automation (RPA) – the use of scripted software bots – to perform mundane administrative tasks such as data capture and database entry.
The need to grow initial data sharing experiments without extending the security posture of the enterprise (including assessment, testing, and on-going management) has resulted in several well-publicized data breaches of sensitive company data and personally-identifiable information (PII).