What is third-party information security risk management?
Third-party information security risk management (“TPISRM” or vendor risk management for short) is a critical component for ALL information security programs. You cannot adequately account for information security risk without also accounting for TPISRM.
TPISRM isn’t new. Some organizations have been doing it for a long time. Mostly larger companies (with adequate resources) driven by compliance requirements. In the early 2000s, I worked on TPISRM for a few Fortune 500 companies and saw first-hand how things were done.
In 2013, TPISRM took center stage when Target Corporation became aware of a significant data breach involving one of their third-party providers (Fazio Mechanical). This was one of the most publicized cybersecurity breaches of all time because of the timing (holiday season), the number of people affected (110 million+), and the fact that Target is one of the largest retailers in the world.
One of the many lawsuits that stemmed from the Target breach was a derivative action where shareholders filed suit against Target’s board of directors, essentially Target suing Target. When this happens, the court appoints a special litigation committee (SLC), and this is where I fit in again. I was retained by the SLC to assist and consult them . What does this have to do with TPISRM? A lot! Vendor risk management program (or lack thereof) played a critical role in the breach.
Unfortunately, not enough has changed since then:
- 66% of security professionals think that it’s possible or definite that they suffered a breach through third-party access
- Roughly 61% (just shy of two-thirds) of U.S. companies have experienced a data breach caused by a third-party.
- Third-party breaches and security incidents are more costly than ever, especially for smaller organizations.
- Only 52% of the companies in the United States have security standards for third-parties.
TPISRM is more important than it’s ever been, and if you’re waiting for someone else to make you do it, it will be too late. Whatever you do, don’t half-ass this.
Three things before we jump into the “must-haves”:
- TPISRM can be done right and inexpensively, even in smaller organizations.
- You must engage in TPISRM, either now or later. “Now” hurts less.
- If you’re going to do TPISRM (which you’d better), make sure you do it right.
Quick SecurityStudio Introduction
SecurityStudio (or S2) is a community and mission-driven information security solutions company dedicated to simplifying information security management and compliance. We help people and organizations in all industries (public and private) master information security fundamentals by providing practical tools on our best-in-class SaaS platform and through our trusted service partners.
The S2 platform is the premier risk and digital safety assessment tool in the world. Driven through our easy-to-use interface, information security risks can be assessed and managed for individuals (consumers and employees/personnel), the organizations they work for (public and private sector), and their vendors. With more than 3,000 assessments completed, our platform has been proven to be successful in simplifying and improving information security for hundreds of thousands of people.
- S2Score – our quantitative scoring metric, plotted on a scale between 300-850.
- S2Org – our organizational information security risk assessment tool.
- S2Vendor – our third-party information security risk assessment tool.
- S2Team – our team/personnel information security risk assessment tool.
- S2Me – our personal information security risk assessment tool.
In this document, we’ll discuss things related to S2Score, S2Org, and S2Vendor, but don’t worry, I won’t get salesy. I want you to get value from reading this more than I want to sell you something.
Alright, the seven “must-haves” for TPRISM.
Must-Have #1 – Adequate Coverage
Your TPISRM MUST account for administrative, physical, and technical risk.
The most tempting place in TPISRM to take shortcuts is to treat it like it’s a technical or IT issue. DON’T! It’s not! It’s a business issue and to treat it as anything else will be done at your own peril.
Effective TPISRM practices MUST account for administrative, physical and technical risks. Isn’t it easier (and more likely) for an attacker to go through a secretary (or another person) than it is to go through a firewall, and who cares about a firewall when an attacker can just steal the server? This is truth. I know it. You know it. Certainly, attackers know it too.
Technical controls are part of TPISRM. Technical controls are not TPISRM in its entirety. Slight, but significant difference. Scans are good, but they won’t tell you squat about a third-party’s employee training program, asset management practices, onboarding/offboarding processes, access control procedures, server room security, etc., etc.
DO NOT TAKE SHORTCUTS
Must-Have #2 – Automated Workflows
Using manual processes with spreadsheets and calendars is error-prone, costly, and ineffective.
The only people who claim spreadsheets are the way to do TPISRM have either never done TPISRM or they’re stuck in the dark ages (“this is the way we’ve always done it”). Not only is using spreadsheets a pain in the butt, it’s expensive and ineffective.
There’s a much better way! Use an automated workflow where TPISRM processes (inventory, classification, assessment, remediation, etc.) are programmatic. If you’ve got money to waste, you could build your own automated workflow tool, but a better choice is probably using a commercial tool. Automated workflows ensure that everything is tidy and easy to manage. If you’re handling any more than one or two third-party relationships, an automated workflow is a must.
Another fact; there is a demonstrable ROI in using an automated workflow versus using manual processes.
USE AN AUTOMATED WORKFLOW-ENABLED TOOL
MUST-HAVE #3 – Distributed Workloads
No single person knows enough about all vendor relationships to be effective.
The wrong way to handle TPISRM is to name a “TPIRSM Manager” or “Vendor Risk Manager” and leave everything to them. It’s unlikely that this person engaged the third-party in the first place, understands how the organization uses the third-party, and/or maintains the relationship with the third-party.
For each third-party relationship, there’s someone who’s responsible for the relationship. We sometimes call this person the “relationship manager”. These people must be involved in the TPISRM process. The best place for this person/group to be inserted into the TPISRM process is usually:
- Third-party inventory management – validating that the third-party is still engaged by the organization.
- Vendor contact maintenance – validating that the third-party’s contact information is valid.
- Inherent risk determination (or classification) – validating how the organization uses the third-party, including the nature of the products or services provided.
If you’ve addressed the first two “must-haves” in our list, ensure that the tool you use will enable or facilitate participation from other people and groups. A shared workload makes everything better.
DO NOT TRY TO TACKLE TPISRM ALONE
MUST-HAVE #4 – Quantification
It’s easier to defend a process or system than it is to defend your judgment.
Regardless of how good you get at TPISRM, a bad thing (breach, disruption, or whatever) will eventually happen. No matter what you do, you cannot prevent all bad things from happening, but that’s not the point anyway. Risk elimination is impossible. Risk management IS possible, and it’s the objective.
The truth is, at some point you’ll need to defend your TPISRM program from someone, and they’ll probably question your judgement. It might be the board of directors, a regulator, a customer, or (God-forbid) opposing legal counsel. Somebody, somewhere, is going to question what you’re doing.
Quantification helps take your judgement out of the equation, and quantification comes through measurement. Quantification allows you to make comparisons between third-parties and set thresholds of acceptable risk. Setting a threshold of acceptable risk is easier to defend because you hold all third-parties to the same standard. One-off and arbitrary decision-making will be much harder to defend.
I have trouble remembering what I did last weekend let alone a decision I made in February of last year.
Adding to defensibility is using a tool, process, and/or risk threshold that’s used by others. There’s (some) safety in the herd.
MUST-HAVE #5 – Objectivity
Binary (1 or 0) decisions are more efficient, easier to defend, and scorable.
Which question is more efficient, easier to defend, and scorable:
- Tell me about your information security program? OR
- Do you have a documented information security program?
How about these:
- How do you train your employees? OR
- Do you train your employees?
Binary (1 or 0, “yes” or “no”, etc.) questions are objective and create a much better measurement/quantification than do subjective, open-ended questions. The downside to objective questions is the to ask more of them. Once someone answers “Do you train your employees?”, we’ll need to ask more binary questions about the training.
Using objective criteria will also reduce the need for interpretation where two people can look at the same subjective/open-ended response and interpret in completely opposite ways. Subjectivity steals the efficiency and defensibility out of our TPISRM program.
USE OBJECTIVE QUESTIONS/CRITERIA
MUST-HAVE #6 – Inventory Management
Garbage in, garbage out.
The entire TPISRM process starts with your inventory of third-party relationships. It’s the first step. There’s the initial inventory and ongoing inventory management.
Build your initial inventory by checking who you’re paying, either through invoices, credit card payments, or employee reimbursements. Chances are good that you’re paying your third-parties in some manner, so Accounts Payable (or similar) is a great place to start.
In order to keep your inventory current, the “ongoing inventory”, you’ll need to determine how important it is for you to maintain a live inventory or if a periodic third-party inventory reconciliation is good enough. The answer should be a function of the churn in your third-party relationships. If third-parties come and go often, then there’s more justification for the live inventory approach. In a live third-party inventory scenario, you’ll need to make sure your third-party engagement/procurement/enrollment process is tightly-integrated with your TPISRM processes. Maybe you don’t pay any third-party until they’ve been assessed for cyber risk.
Periodic reconciliation consists of validating your inventory periodically, maybe on an annual basis.
A good TISRM tool accounts for all the “must-haves” here, including assistance with third-party inventory management. Entering third-party information one-by-one is fine but becomes a real pain when you have many third-parties to enter. A great feature is the ability to upload third-party information in bulk and a potential integration through APIs with other enterprise systems.
YOU CANNOT ACCOUNT FOR THIRD-PARTY RELATIONSHIPS YOU DON’T KNOW YOU HAVE
Must-Have #7 – Simplified Processes
Complexity is the enemy of information security.
Your TPISRM process shouldn’t consist of any more than four primary steps. If it’s more than four steps, you might be making this harder on yourself. The four steps are Inventory, Classification, Assessment, and Decision-Making. That’s it.
In some cases, you may need to repeat steps, but it’s still only four steps. For instance, you may decide (Decision-Making) that the risk posed by a third-party is unacceptable. In this case, you could decide to remediate, which will then lead back into the Assessment step.
DO NOT OVER-COMPLICATE THIS
BONUS: Third-Party Risk Assessment/Questionnaire Re-Use
Everybody hates filling out dumb questionnaires.
I have yet to meet anyone who enjoys filling out TPISRM questionnaires from their customers. If I did, I’d question their sanity. Filling out questionnaires is a waste of time. There are three ways we can make this more enjoyable and usable for everyone.
- What if we made the questionnaire into an organization’s information security risk assessment?
- What if an organization’s own/internal information security risk assessment could be used in lieu of a questionnaire?
- What if we reused a questionnaire that a third-party completed for someone else?
Yes, yes, and yes please!
On the SecurityStudio platform we’ve developed two effective, best practice, and simple tools to enable all the “must-haves” in this document, and significantly reduce wasted time, effort, and money for your third-party friends. By reusing assessments and questionnaires, you’ll get better results in your TPISRM efforts and your third-parties will sincerely appreciate having to do less work!
The tools are S2Vendor and S2Org.
S2Vendor is our best-in-class TPISRM tool for organizations of all shapes and sizes. S2Org is the best organizational information security risk management tool for vendor performance regarding security anywhere. Combined, there are no other solutions that compare!
Let’s demonstrate how these tools work together.
- A third-party who completes an S2Vendor questionnaire can use the same information to manage their information security program with a simple click of a button. The click of the button imports their responses into their own (private) S2Org portal where they can track results, print reports, create a roadmap (risk treatment plan), manage the roadmap, and much more! Not only can the third-party use this information to improve their security program in a measurable way, but they’re also more inclined to provide truthful answers to you as their customer.
- There are more than 3,000 organizations who already use the SecurityStudio platform and S2Org for information security risk assessments and management. Rather than having to complete another tedious questionnaire, an S2Org user can just choose to share their assessment (or resulting S2Score) with the S2Vendor user (you).
- If an S2Vendor third-party risk assessment has already been completed on behalf of a vendor by someone else, rather than completing another assessment, you can allow them to confirm and reuse one that they’ve already completed. This saves you the headache of dealing with pushback and saves your third-party vendors a lot of time.
There you have it. If you want to build a TPISRM practice/program the right way, these are seven things that you must have. Short cuts, manual processes, bottlenecks, subjectivity, gaps, and complexity must all be accounted for and taken out of the equation. If you’re into these things, well, that’s too bad. They’ll eventually come back to haunt you.
All the best.
Evan Francen CEO