How To Build A Third-Party Risk Management Program

As businesses have grown from self-contained entities to broader digital ecosystems, they have started outsourcing more and more processes to increase their effectiveness and efficiencies. But they haven’t always paid attention to where their data is going and who has access to it, which is why third-party risk management is becoming increasingly important.

Third-party cyber risk management was the topic of Monday night’s episode 66 of Task Force Radio, and it is “a massive point of exposure that has not been paid attention to [and] has been more of a compliance afterthought, at best,” said Fred Kneip, the CEO of CyberGRX, a third-party risk management firm. Kneip and Scott Schneider, the company’s chief revenue officer, were the guests of host George Rettas, president and CEO of Task Force 7 Radio and Task Force 7 Technologies.

Yet, 60% to 70% of breaches today involve a third party, according to Kneip, so now people are now paying closer attention to the data they outsource.

“We've had conversations with many companies [that] don't even know who [their] third parties are,’’ Kneip said.

Why third-party risk management is important now

Most organizations are starting to realize that third parties “represent the area between potentially the easiest attack vector and the most prehistoric defense mechanism of spreadsheets and share points and other manual processes,’’ said Schneider. This has created a “resource challenge” for almost every company using a growing system of third parties, he said.

Rettas homed in on that, asking what is driving the need for enhanced third-party compliance risk management (TPCRM) programs now? Kneip said he has seen informal surveys from resellers that cite third-party risk is typically among the top three things customers are talking about.

“They're still trying to get their head around exactly what that means, what they're going to do, but they know it is an exposure, an area that they need to pay attention to," he explained.

There are cyber security professionals who see their job as acting as a “blocker” to stop bad things from happening, Kneip said. Then there are others who view their job as facilitating good decision making by the business and elucidating the risks that should be addressed. Programs with that mindset are more effective, he said.

Risk managers should be considering the level of scrutiny they are giving to third parties, such as, are they allowed network access and are they allowed on site?

“These are triggers that can help prioritize who you should pay attention to and then justify a greater level of scrutiny and digging in, he said. “Sadly, what we've seen is a lot of times people will basically say, ‘Who do I spend the most money with? Those are going to be my highest risk.’ And that's not true.”

The more “sophisticated programs understand where that risk lies.” Those risk managers also have a good relationship with their business counterparts, which drives better decision making, Kneip said.

Why third parties are so vulnerable

Kneip and Schneider believe threat actors focus on third parties because they are “a path of least resistance” and that people have spent the majority of their time protecting their environment, but they haven't paid as much attention to where data might be going or what vectors are coming into their environment, which creates greater exposure.

“The simple answer is hackers are smart,’’ Kneip added. “They're going to find that weakest link in your chain and use that as a means to get in.” Couple that with the fact that “a typical security practitioner is stretched. They can't, or historically have not focused all the way down that [third-party] chain.”

Threat actors will keep targeting third parties until these vendors start “to really build up third-party defenses,’’ he said.

Rettas asked what the top assets are that these actors are looking for when they attack a third party? Kneip replied that it is mostly confidential data such as credit card numbers and health care information, which is valuable on the dark web.

In response to a question from Rettas about how CISOs and risk officers can better determine what the appropriate level of due diligence is that they should be performing on third parties, Kneip said it starts with the inherent risk they are facing from that company.

They need to be able to figure out what the impact is of sharing that information and how much should be shared, and whether they have “the basic hygiene in place,” he said.

Then it’s time to “step it up” and understand what level of segmentation exists at a third party to secure your data, he said. “And you need to be thinking from the attacker mindset. If someone's going after them, what do they do?

In response to a question from Rettas about the kind of mistakes they see companies making as they try to enhance their TPM programs, Kneip cited a quote from the CSO of a large health care company that "Compliance does not equal security and stop thinking that way."

Stretching security budgets

How can organizations stretch budgets to accommodate for the growth of third-party ecosystems?

“The key piece here is recognizing that what may have worked in the past is not the right approach going forward, and that if you have 30 key third parties, you can do a manual process and look at each one of them and compare them,” said Kneip.

Once that number increases, that same approach doesn't work, he said, “and you need to start thinking about more scalability or more capability to use data sets versus trying to run that process over and over again.”

If you assess a company once, that data can then be shared when assessing others, at a much lower cost, he said.

“So instead of spending all your time … trying to collect information, you actually have that data available and standardized, and you can actually start using it to manage risk effectively.”

Rettas pointed out that “The information security piece of a review of a third-party risk is just a piece of that risk review” and there are other efforts that go into a relationship with third parties. He asked how information security assessments are being used in larger TPM programs?

Kneip said Schneider spearheaded a survey that shows a lot of people are doing assessments “and then taking the data and not doing much with it.”

If a CyberGRX customer can tell their third party that they need them to fix three things and remediate those control gaps in the next 90 days, both sides appreciate that, Schneider said. “Ultimately, I think most all companies just want to drive frictionless commerce and be able to do business together in a manner that makes both their businesses thrive,’’ he added.

The future of third-party risk assessments

Looking ahead, Kneip said he sees companies moving from a do-nothing to compliance mindset to true risk management. People will start to appreciate the need to manage risk from third parties, as well as understanding it, how to report on it, and how to drill down further.

“We're still seeing that [there is] a minority of people who truly have the full view of the risk that exists, and then what should you be doing about that,’’ he said.

Risk management tools can help organizations understand the breadth of that risk and how they can manage it, he said.

“Unfortunately, you're going to see [in] 2019 and 2020, a multitude of third-party breaches that will continue in the same way that we saw through 2018, and that will continue hopefully, to drive some attention to this space,” he said.

Even with AI being incorporated into tools to measure risk, “you need to really change the mindset of the practitioner to truly a risk manager,’’ Kneip stressed. It’s not enough to just do risk assessments of all your third-party vendors. “That’s risk identification, not risk management,’’ he said.

Once the mindset changes there will be a real reduction in exposure, he said. “And that's when you'll see hopefully … [that] people will say, ‘Yeah, third-party risks are no longer that path of least resistance.’”

In the next five years, there will be continued automation, and some level of dynamic visibility, added Schneider, which will “springboard the industry.”

Also in the next couple of years, Schneider said he foresees “everyone coming together as a community … This is a force multiplier issue, this is a resource issue, and the only way to really address that is leveraging some level of community, of crowd sourcing, of an exchange.”

The ‘Task Force 7 Radio’ recap is a weekly feature on the Cyber Security Hub.

To listen to this and past episodes, click here.