A common theme for many organizations is that they don’thave time to do third-party information security risk management, or they don’thave the time to do it right. There are so many competing initiatives in aninformation security professional’s life, I get it. Do you have a case for notprioritizing third-party information security risk management, or notprioritizing it higher?
Let’s use logic to figure this out together.
NOTE: Notice I use the words “third-party informationsecurity risk management” in place of “vendor risk management”, this is becauseI think one is a little more accurate than the other. Third-party informationsecurity risk management usually fits within the scope of a larger vendor riskmanagement program. For this article we’re going to focus on third-partyinformation security risk management.
Three primary questions come to mind when thinking about theimportance of third-party information security risk management:
- Is there a problem with NOT doing third-partyinformation security risk management?
- If so, how big is the problem?
- What should you do about it?
Is there a problem?
So, you’ve got other priorities that prevent you fromassessing and managing information security risks related to yourvendor/third-party relationships. The fact that you have other priorities isn’ta problem, it’s reality. The fact that you may not be prioritizing third-partyinformation security risk management, or that you may not be prioritizing highenough, could be a big problem.
Inherently, I know two things when it comes to third-partyinformation security risk management:
- Nobody cares about the security of myinformation more than I do.
- Third-parties are the cause (directly orindirectly) of most known data breaches.
Nobody cares aboutthe security of my information more than I do.
You know this is true, right? You spend thousands of hours,and many dollars trying to implement and manage good security controls withinyour organization. You’ve developed sound policies, worked tirelessly to makesure people are trained and aware of good security practices, you’ve spentthousands (maybe millions) on expensive technological controls like firewalls,intrusion prevention, data loss prevention, endpoint protection, and on and on.
You use third-parties to provide certain services to yourorganization. Maybe printing, maybe hosting, maybe IT support, who knows? Doyou think the third-partiesyou use have spent the same amount of effort in protecting your information? Isthinking they’re protecting your information the same way you are, good enough?Play it out. Stay with me on the logic here.
We know that no matter what we do, we cannot possiblyprevent all bad things from happening. We cannot eliminate risk, but riskelimination isn’t the goal anyway. Risk management is the goal and it’s theonly thing that’s even remotely attainable.
Let’s say a vendor loses your information (this is morelikely than you know, read the next section). Or, let’s say that an attackergains access to your information through some sort of access that we’ve grantedthem. What happens next?
You conduct an investigation. Maybe there are lawyersinvolved. Maybe there’s customer data involved. Maybe you’re not sure. Onething is for certain, somebody isn’t going to happy. When the right (or wrong)somebody isn’t happy, somebody else needs to pay. The unhappy “somebody” mightbe a customer or group of customers, a government regulator, or the board of directors.The unhappy “somebody” might be all of the above.
The unhappy somebody is going to want answers. What answersdo you think they’re going to want? They’ll want answers to questions like:
- Did you know that your vendor was doing x, y,and z?
- Did you ask how the vendor was protecting ourinformation?
- What sorts of questions did you ask the vendorabout protection?
The quality of your answers will often dictate what and howmuch you’ll have to pay. No answers or bad answers will cost you more. Somebodyalmost always pays when something bad happens, the degree to which they pay,will largely be dependent on what answers they’ll have to defend themselves.This, in a nutshell, is defensibility.
Can ignorance be defensible, claiming you didn’t know anybetter? Short answer is “no”. The reason is outlined in the next section.
Third-parties arethe cause (directly or indirectly) of most known data breaches.
Soha Third-Party Advisory Group conducted a study (Source: http://www.marketwired.com/press-release/soha-systems-survey-reveals-only-two-percent-it-experts-consider-third-party-secure-2125559.htm) last year that concluded the following; “third parties cause or are implicated in 63 percent of all data breaches.” You might be skeptical of this number, but the Soha Third-Party Advisory Group consists of some heavy-hitters in our industry, security and IT experts from Aberdeen Group; Akamai; Assurant, Inc.; BrightPoint Security; CKure Consulting; Hunt Business Intelligence, PwC; and Symantec. I didn’t write the study, but I believe that much of the findings represent the truth.
Soha Third-Party Advisory Group
Can you claim you didn’t know better? When you’re taskedwith answering the inevitable questions that are coming your way after abreach, do you really think you can claim you didn’t know?
To compound our ignorance as a defense problem, are thefollowing facts:
Third-party data breaches are on the rise, at least in the United States. A study by Opus concluded the “percentage of companies that faced a data breach because of a vendor or third party was higher at 61 percent, which is up 5 percent from last year and 12 percent from 2016”. (Source: https://www.pymnts.com/news/security-and-risk/2018/third-party-data-breaches-cybersecurity-risk/)
A study conducted by Kaspersky Lab concluded that the costliest data breaches are those that involved a third-party, especially for small to medium-sized businesses (SMBs). (Source: https://mobile.itbusinessedge.com/blogs/data-security/breaches-from-third-parties-are-the-costliest.html)
Opus & Kaspersky Lab
Do you need more justification for re-prioritizingthird-party information security risk management? Maybe you run a securityprogram based on compliance, only doing what you’ve been told to do. This isn’ta good idea because information security is about risk management, notcompliance, but let’s say it’s the way you do things anyway. Compliance isking. What if I told you that regulators and examiners are aware of the risks,and they read the same news we do. They are increasing the pressure around third-partyinformation security risk management, and they’re losing patience withorganizations that haven’t taken the risk seriously. It’s better to get aheadof this curve now.
Back to our original question; Is there a problem with NOTdoing third-party information security risk management? My opinion, using thelogic we’ve outlined together, is “yes”. There is definitely a problem with youNOT doing third-party information security risk management.
Are you convinced that you need a third-party informationsecurity risk management solution? If so, let’s figure out the right solution.If not, we’ll still be here to help when you become convinced. I promise.
How big of a problem is it?
Our next question was how big of a problem is it, meaninghow pervasive is the third-party information security risk management problemin our industry? I promise to provide a short answer.
At a macro-level, relying on my unscientific observationsfrom working with (up to 1,000) clients and discussions with other informationsecurity professionals, I would estimate that as many as 90% of the companiesranging in size from 20 – 30,000 employees do not have a third-partyinformation security risk management program of any substance (or formality).
The problem is big in our industry. I would caution againstusing this as justification for not have your own (program); however. The herdmentality seems to be less and less defensible too.
Our last question: what you should do about it (meaning third-party information security risk management)?
What should you do about it?
For your own good, hopefully I’ve convinced you that notdoing anything or deferring this issue until it becomes a higher priority, isnot a good option. If not, like I stated previously, we will be here for youwhen you change your mind.
A well-designed third-party information security riskmanagement program fits the following characteristics:
- It’s not disruptive to the business. After all,your business is in business to make money (and/or serve a mission). Ifinformation security gets in the way, you’ve got problems.
- It’s measurable in a way that you can show progress.Going from nothing, or next to nothing, to a fully implemented third-partyinformation security risk management program is not feasible or encouraged. Asolution that allows for gradual adoption over time is the right way to go.
- Doesn’t take shortcuts. The definition ofinformation security accounts for administrative, physical, and technicalcontrols. Only accounting for technical controls isn’t going to cut it,especially when we consider the fact that your most significant risk is people.
- Organized, standardized, and repeatable. Thesethings make your program scalable and useable. The way to accomplish this is toautomate all parts of the program that can be automated, without takingshortcuts.
- Intuitive, easy to use, and easy to understand.Third-party information security risk management shouldn’t be rocket science. Awell-designed third-party information security risk management solution shouldbe logical, so much so, that you don’t need vast amounts of experience andexpertise to run it.
We specifically designed SecurityStudio to fit all the criteria necessary in a best-in-class third-party information security risk management platform. We did so by using more than a combined 100 years of information security experience, and at a reasonable price that doesn’t unnecessarily take away from your other competing information security priorities.
I invite you to speak to a SecurityStudio representative about how SecurityStudio will work for you. Schedule a demo too while you’re at it!
Estimate your score or book free demo today
EstimatorGet a Demo
