Posts

A common theme for many organizations is that they don’t have time to do third-party information security risk management, or they don’t have the time to do it right. There are so many competing initiatives in an information security professional’s life, I get it. Do you have a case for not prioritizing third-party information security risk management, or not prioritizing it higher?

Let’s use logic to figure this out together.

NOTE: Notice I use the words “third-party information security risk management” in place of “vendor risk management”, this is because I think one is a little more accurate than the other. Third-party information security risk management usually fits within the scope of a larger vendor risk management program. For this article we’re going to focus on third-party information security risk management.

Three primary questions come to mind when thinking about the importance of third-party information security risk management:

  1. Is there a problem with NOT doing third-party information security risk management?
  2. If so, how big is the problem?
  3. What should you do about it?

Is there a problem?

So, you’ve got other priorities that prevent you from assessing and managing information security risks related to your vendor/third-party relationships. The fact that you have other priorities isn’t a problem, it’s reality. The fact that you may not be prioritizing third-party information security risk management, or that you may not be prioritizing high enough, could be a big problem.

Inherently, I know two things when it comes to third-party information security risk management:

  1. Nobody cares about the security of my information more than I do.
  2. Third-parties are the cause (directly or indirectly) of most known data breaches.

Nobody cares about the security of my information more than I do.

You know this is true, right? You spend thousands of hours, and many dollars trying to implement and manage good security controls within your organization. You’ve developed sound policies, worked tirelessly to make sure people are trained and aware of good security practices, you’ve spent thousands (maybe millions) on expensive technological controls like firewalls, intrusion prevention, data loss prevention, endpoint protection, and on and on.

You use third-parties to provide certain services to your organization. Maybe printing, maybe hosting, maybe IT support, who knows? Do you think the third-parties you use have spent the same amount of effort in protecting your information? Is thinking they’re protecting your information the same way you are, good enough? Play it out. Stay with me on the logic here.

We know that no matter what we do, we cannot possibly prevent all bad things from happening. We cannot eliminate risk, but risk elimination isn’t the goal anyway. Risk management is the goal and it’s the only thing that’s even remotely attainable.

Let’s say a vendor loses your information (this is more likely than you know, read the next section). Or, let’s say that an attacker gains access to your information through some sort of access that we’ve granted them. What happens next?

You conduct an investigation. Maybe there are lawyers involved. Maybe there’s customer data involved. Maybe you’re not sure. One thing is for certain, somebody isn’t going to happy. When the right (or wrong) somebody isn’t happy, somebody else needs to pay. The unhappy “somebody” might be a customer or group of customers, a government regulator, or the board of directors. The unhappy “somebody” might be all of the above.

The unhappy somebody is going to want answers. What answers do you think they’re going to want? They’ll want answers to questions like:

  • Did you know that your vendor was doing x, y, and z?
  • Did you ask how the vendor was protecting our information?
  • What sorts of questions did you ask the vendor about protection?

The quality of your answers will often dictate what and how much you’ll have to pay. No answers or bad answers will cost you more. Somebody almost always pays when something bad happens, the degree to which they pay, will largely be dependent on what answers they’ll have to defend themselves. This, in a nutshell, is defensibility.

Can ignorance be defensible, claiming you didn’t know any better? Short answer is “no”. The reason is outlined in the next section.

Third-parties are the cause (directly or indirectly) of most known data breaches.

Soha Third-Party Advisory Group conducted a study (Source: http://www.marketwired.com/press-release/soha-systems-survey-reveals-only-two-percent-it-experts-consider-third-party-secure-2125559.htm) last year that concluded the following; “third parties cause or are implicated in 63 percent of all data breaches.” You might be skeptical of this number, but the Soha Third-Party Advisory Group consists of some heavy-hitters in our industry, security and IT experts from Aberdeen Group; Akamai; Assurant, Inc.; BrightPoint Security; CKure Consulting; Hunt Business Intelligence, PwC; and Symantec. I didn’t write the study, but I believe that much of the findings represent the truth.


Soha Third-Party Advisory Group

Can you claim you didn’t know better? When you’re tasked with answering the inevitable questions that are coming your way after a breach, do you really think you can claim you didn’t know?

To compound our ignorance as a defense problem, are the following facts:

Third-party data breaches are on the rise, at least in the United States. A study by Opus concluded the “percentage of companies that faced a data breach because of a vendor or third party was higher at 61 percent, which is up 5 percent from last year and 12 percent from 2016”. (Source: https://www.pymnts.com/news/security-and-risk/2018/third-party-data-breaches-cybersecurity-risk/)

A study conducted by Kaspersky Lab concluded that the costliest data breaches are those that involved a third-party, especially for small to medium-sized businesses (SMBs). (Source:  https://mobile.itbusinessedge.com/blogs/data-security/breaches-from-third-parties-are-the-costliest.html)

Opus & Kaspersky Lab

Do you need more justification for re-prioritizing third-party information security risk management? Maybe you run a security program based on compliance, only doing what you’ve been told to do. This isn’t a good idea because information security is about risk management, not compliance, but let’s say it’s the way you do things anyway. Compliance is king. What if I told you that regulators and examiners are aware of the risks, and they read the same news we do. They are increasing the pressure around third-party information security risk management, and they’re losing patience with organizations that haven’t taken the risk seriously. It’s better to get ahead of this curve now.

Back to our original question; Is there a problem with NOT doing third-party information security risk management? My opinion, using the logic we’ve outlined together, is “yes”. There is definitely a problem with you NOT doing third-party information security risk management.

Are you convinced that you need a third-party information security risk management solution? If so, let’s figure out the right solution. If not, we’ll still be here to help when you become convinced. I promise.

How big of a problem is it?

Our next question was how big of a problem is it, meaning how pervasive is the third-party information security risk management problem in our industry? I promise to provide a short answer.

At a macro-level, relying on my unscientific observations from working with (up to 1,000) clients and discussions with other information security professionals, I would estimate that as many as 90% of the companies ranging in size from 20 – 30,000 employees do not have a third-party information security risk management program of any substance (or formality).

The problem is big in our industry. I would caution against using this as justification for not have your own (program); however. The herd mentality seems to be less and less defensible too.

Our last question: what you should do about it (meaning third-party information security risk management)?

What should you do about it?

For your own good, hopefully I’ve convinced you that not doing anything or deferring this issue until it becomes a higher priority, is not a good option. If not, like I stated previously, we will be here for you when you change your mind.

A well-designed third-party information security risk management program fits the following characteristics:

  1. It’s not disruptive to the business. After all, your business is in business to make money (and/or serve a mission). If information security gets in the way, you’ve got problems.
  2. It’s measurable in a way that you can show progress. Going from nothing, or next to nothing, to a fully implemented third-party information security risk management program is not feasible or encouraged. A solution that allows for gradual adoption over time is the right way to go.
  3. Doesn’t take shortcuts. The definition of information security accounts for administrative, physical, and technical controls. Only accounting for technical controls isn’t going to cut it, especially when we consider the fact that your most significant risk is people.
  4. Organized, standardized, and repeatable. These things make your program scalable and useable. The way to accomplish this is to automate all parts of the program that can be automated, without taking shortcuts.
  5. Intuitive, easy to use, and easy to understand. Third-party information security risk management shouldn’t be rocket science. A well-designed third-party information security risk management solution should be logical, so much so, that you don’t need vast amounts of experience and expertise to run it.

We specifically designed SecurityStudio to fit all the criteria necessary in a best-in-class third-party information security risk management platform. We did so by using more than a combined 100 years of information security experience, and at a reasonable price that doesn’t unnecessarily take away from your other competing information security priorities.

I invite you to speak to a SecurityStudio representative about how SecurityStudio will work for you. Schedule a demo too while you’re at it!

Historical Use of Vendors Over Time

Before we address the purpose of vendor risk management we need to spend a few moments to understand how we got here. Looking back 20 years ago third-party vendors were used differently and not used as much.  We did not perform any sort of vendor risk management.  Considerations to use a vendor would be primarily based on cost.  Today is a much different picture.  We can easily create an entirely new business with a laptop, internet connection and a credit card.  Software solutions can be purchased and used within organizations without getting IT involved; therefore, skipping the chance to properly evaluate the potential risk.  The threat landscape has changed vastly and continues to evolve seemingly faster all the time.

Shift Control from Internal to Third Party

I reminisce about my first job coming out of college.  The large company I worked for didn’t have internet access, we didn’t have email and we didn’t exchange data or allow others to access our data.  All the control was in our hands.  If we suffered some sort of incident it was up to us to fix it and get back on track.  Today we outsource to third-party vendors for strategic reasons (increased efficiencies, new services, focus on core business objectives, etc.). Risky vendors will then increase our risk if not properly evaluated and managed.  The control is shifted from us to the vendor.  How much data are we giving to the vendor?  Does a disruption in the vendor’s ability to provide services create an unaccepted situation?  Does the vendor have a formal approach to securing your data?  Do they have a risk management program that’s formally mandated and supported by their executive management?  Do they treat your data with the same standards as you do?

Purpose of Vendor Risk Management

A lack of a complete and effective vendor risk management puts organizations at risk.  Regulated industries like Finance, Healthcare and Public Utilities all require ongoing risk assessments.  The use of third-party vendors needs to be incorporated into the risk assessment.  A thorough and efficient vendor risk management program can make a difficult process run more smoothly. 

Another reason you should consider a formal vendor risk management approach is to address the business impact risk that’s introduced by utilizing third party vendors.  Your reputation could be tarnished by the actions of a vendor you use.  Your organization could suffer unacceptable downtime or lack of service due to a vendor’s internal (or lack of) business practices.  You could also be affected by a third-party vendor’s financial situation.  If a vendor provides a critical or unique service that is not easily replaced, it’s in your best interest that their finances are in good order.  Can they keep their lights on and provide you with the critical services you pay them for?

In a simple form, the purpose of vendor risk management is ensuring the use of third-party vendors and making sure they do not introduce a negative impact, business disruption or damage your reputation. It also puts you in a defensible position by showing you’re practicing proper due care and due diligence regarding information security and vendor risk management. 

Vendor Risk Management Process

The vendor risk management process comprises of four steps.  Once the initial process is started, new vendor and annual vendor reviews will be much faster and simpler to manage.

  1. Identify your vendors – Any individual or company who provides you paid services.  Working with Accounts Payable will cast the biggest net.  Don’t forget about services purchased on a credit card – so check those statements!
  2. Classify your vendors – Now you have the master vendor list you need to classify the vendor into high, medium and low risk categories.  Department managers are typically the best to determine this since they have an idea of the types and amount of data the vendor has access to as well as how the vendor is used and what impact the vendor has on the business.  This can sometimes be difficult at first because some managers might not understand their role in the vendor risk management process.
  3. Assess vendor risk – A risk assessment should be performed on all high and medium risk vendors.  The risk assessment should be the same criteria for all classes of vendors.  Higher risk vendors will be under the microscope a bit more than the medium risk vendors.  Low-risk vendors simply need to be evaluated for risk and documented.  It’s important to show you’ve evaluated and classified ALL vendors, not just the ones you feel are important. 
  4. Risk treatment – Once risks are identified you need to determine if the risk is acceptable or if you will ask\require the vendor to mitigate identified risks.  Remediation efforts by the vendor should be monitored and assurance made to you by the vendor that they did indeed address the risks identified.  This might come in the form of policy developed, audit results or verified risk assessment performed certified information security expert.

The entire process is repeated on a regular basis, preferably annually.  The initial startup of a vendor risk management program can be daunting but with the correct tools, it doesn’t have to be.

Who Do We Work For?

We all work for someone.  Our industries might be vastly different but the common item we all have is we work for people.  People entrust us with their finances, healthcare data, personal data, retirement funds, school grades, etc., the list goes on and on.  Behind all that data are mothers, fathers, grandparents, aunts, uncles, nieces, nephews, sons, daughters, friends and neighbors.  We owe it to them to do everything we can to protect their data as if it were our own.  This is the REAL purpose of vendor risk management.

If you want an easy-to-use automated workflow that evaluates all third-party vendors and brings your weakest links to the surface, schedule a demo with us today!

free information security risk assessment tool

Information security programs are around to protect the data of the businesses they are a part of. Understanding risk is an important part of that, but ultimately it’s the business’s job to make decisions on what types of risks they are willing to accept. It’s the information security program’s job to make informed recommendations about those risks. Sometimes, though,  those recommendations are ignored.

While it’s important to make decisions that are best for the business, deviating from security recommendations can pose challenges. It’s important that you maintain a simple, standardized, and defensible information security program (and vendor risk management specifically). Certain business decisions detract from that.

Simplify

We fully understand that a business’s first goal is to make money. That’s why businesses exist. Security programs are meant to create efficiencies that align with your business objectives to be a driving force for profit— not the other way around. However, if you chose to make decisions independent of our security teams’ recommendations, you can actually do the opposite.

Information security programs (and their vendor risk management initiatives in particular) can have a monumental impact on the efficiencies of an organization— especially as it pertains to employee time.

People in information security programs are often required to chase down vendors. You need to have an inventory of all of our vendors so that we know who poses threats to you. In order to do that, your security team will start at accounts payable, get a list of the current vendors your business works on, and then spend ludicrous amounts of time trying to understand the level of risk that vendor poses.

Because your information security professionals have a limited understanding of what each vendor does, they have to get an idea from the person who works with them most closely how their interactions may pose security threats. You now have two employees taking up their time to get this information figured out.

Once this is finally determined, the information security employee is going to send out a questionnaire or spreadsheet to the vendor in hopes that the person on the other end is the right contact, that they’ll fill it out correctly, and that they won’t have to be chased down every three weeks to see if it’s been completed yet.

Do you see how time-consuming this can be?

A vendor risk management tool automates many of these processes. It eliminates the chasing, the back-and-forth, and the manual entry your information security employees would otherwise go through. Because of this, their time can instead be used on the things that will make the most positive impact on your bottom line. The same is true with the non-security employees that have to assist.

You may decide that you don’t want to spend the money on an automated solution to help you smooth down these processes. Doing these things without systems, though, creates unnecessary complexities— and complexity is the enemy of security and business.

Standardize

Standards are crucial when it comes to information security. There are rules, guidelines, principles, and best practices that should help feed your information security decision-making.

Information Security Industry Standards

Certain industries have requirements and regulations they are asked to follow with regards to information security. If your organization fits their threshold, you likely have no choice but to comply. While these standards don’t necessarily provide the perfect example of what security is, they do provide good foundational rules to follow. Deviating from the rules of industry standards can have two effects.

This is actually an example of where deviating from rules and standards can be a good thing. As mentioned before, security standards often provide a good foundational base for your security programs, but they are often just that— a minimum requirement that helps you get started. Businesses can (and should) deviate from industry standards by adding to them. Adding measures on top of what the industry standards suggest you accomplish in your security program is an important step in bolstering your protections.

The opposite side of that coin is choosing to skip or ignore standards that are required by your industry regulations. Doing this can severely damage your business. Payment card industry (PCI) compliance is a good example of this. Many small businesses choose not to go through the steps of being PCI compliant because of the time, effort, and money that goes into complying. However, a breach that impacts your customers’ credit card information often creates irreprehensible financial and reputational losses that could end up forcing you to close your doors permanently.

When it comes to vendor risk management, the same concern applies. You can choose to deviate from acceptable industry norms, here too. Some organizations choose to change up the assessment questions that they ask their vendors to complete regarding their risk. Doing so may push you outside the compliance threshold within your industry standards and it also requires someone to justify the changes. Justification relies on subjectivity, rather than objectivity, and makes it significantly more challenging to explain if you needed to defend your decision.

Internal Standards

Standards are one way to get everyone within your business on the same page about things like acceptable risk levels, information security spending, incident response measures, and more. Implementing a set of policies and procedures that are standard across your organization, and across organizations similar to yours, ensures that you’re taking the appropriate measures to mitigate risks and protect your business.

Deviating from your internal standards proves that they aren’t the right standards. If you feel that you need to make decisions that go against the standards of your organization, they clearly aren’t working for your business. And you won’t be able to expect others to follow them if you aren’t either.

Your risk increases as you deviate from standards too. Take the S2SCORE for example. You can use risk assessment metrics like S2SCORE to set a risk threshold you want your organization and vendors to uphold. You might make a decision that everyone needs to be above a 650 in order to continue working with them. Sometimes, though, the business might feel the need to make a decision outside the standards set in place. You may work with an organization whose business is critical to the success of yours. Therefore, you may want to accept them as a vendor despite their S2SCORE being 550 instead. While it’s important you make these kinds of decisions if you feel they’re critical to the business, it’s also important to understand that this increases the likelihood your data is compromised.

Defend

Ultimately, creating standards and sticking to them is all about making your organization more defensible in the event that something does go awry and your data is compromised. Breaches do happen. Often. It’s impossible to prevent all breaches.

Deviating from standards makes your business less defensible when a breach happens.

If your business feels they need to make exceptions to rules for its benefit, that’s fine. If you make a system standard, you just have to defend the standard. Make sure you’re taking a logical and objective approach to all of your exceptions before implementing them. This will help you stay defensible (and help you ensure that your decisions aren’t going to have a negative impact on your security).

If you make decisions that deviate from standards, customize systems too much, etc., it becomes increasingly more difficult to explain your case to those who are asking. Unfortunately, a breach’s impact stretches beyond your boardroom. Customers, news outlets, lawyers, and more will be asking questions about how and why things happened the way they did— and what you plan to do about it.

Particularly on the legal side and the industry regulator side of this, you’re going to have to explain why this incident happened. If you make exceptions to rules, you have to defend the logic behind the exception. Why you didn’t go with your standard? This is important to think about as we consider making decisions that extend beyond the scope of industry and internal standards that have already been implemented.

Conclusion

While it’s important for businesses to take information security recommendations seriously, it’s also important to remember that information security programs are around to supplement the business’s objectives. For that reason, businesses should be allowed to make decisions outside the scope of industry and internal security regulations. If they do though, there can and will be consequences. Weighing those consequences can be challenging, and it can be difficult to defend the logic behind any deviations. At the end of the day, make if you’re going to make decisions outside the recommendations of information security standards, ensure they still help your business simplify, standardize, and defend.

free information security risk assessment tool