Best practices for a world class third party cyber risk program
Vanessa Jankowski, Senior Vice President & General Manager, TPRM & CNI, Bitsight was a speaker at our recent Vendor & Third Party Risk USA Congress.
The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.
What security issues are most correlated with breaches?
A recent study by Marsh McLennan found fourteen Bitsight cyber analytics had significant correlation with the occurrence of cyber security incidents. The strongest correlation was in the area of Patching Cadence, which tells us how effective an organization is at keeping their systems and software up to date. No surprise here – the better you are at keeping up with the fundamentals, the better protected you are against a breach. We see a similar trend when it comes to the occurrence of ransomware attacks.
Poor Patching Cadence, along with failure to adopt best practices for network encryption and the presence of specific vulnerabilities show a strong correlation with this type of security incident. When brought into a third party risk management context along with a clear picture of inherent vendor risk, these analytics can provide a roadmap for where and how to focus your third party risk mitigation efforts in a way that is data driven, objective, and scalable.
The ability to achieve scalable risk reduction has never been more important given the state of digital transformation, an evolving cyber risk landscape, and an economic environment that is asking all of us to do more with less.
How can continuous monitoring be used to alert for risks?
With a strong roadmap in place for where to focus limited resources in a way that’s aligned to real world outcomes, organizations can put in place a continuous monitoring program to deliver effective third party cyber risk management. Continuously monitoring your third parties’ cyber security performance is a great way not only to maintain awareness of risks across a dynamic, complicated ecosystem, it’s also a great way to establish agency as you try to mitigate risk over time.
Many organizations evaluate a vendor’s security posture and policies when they begin their commercial relationship, but setting and continuously tracking adherence to cyber security performance expectations allows you to act and collaborate with your third parties to mitigate risk when they move out of sync with your risk appetite. In the spirit of doing more with less, it’s important to approach continuous monitoring as you would other business initiatives.
The effort you put in should be aligned to the value you get back. Put another way, you want to make sure your risk management efforts are aligned to the risk presented by the vendors themselves. How can we make that happen? By starting with a strong understanding of vendor risk that informs your risk appetite which in turn informs everything from how you configure your third party cyber risk tech stack to how you resource and execute on risk management practices over time.
This foundation can set you up for success not only in the business as usual context, it can also ensure you are prepared when something goes wrong that affects the cyber landscape at large (remember Solarwinds?).
How can we identify vulnerabilities across third party vendors?
It’s not easy! Third party risk management is inherently complicated – when you combine that complexity with the dynamic nature of cyber risk, it becomes even more challenging. The total number of vulnerabilities increased by 25% in the last year, while the number of “Known Exploited Vulnerabilities” nearly doubled.
To keep up, organizations need to have a continuous monitoring program in place that includes both insights and a playbook for dealing with vulnerabilities in the third-party landscape. Consider whether your existing tech stack allows you to quickly determine which third parties have confirmed or suspected exposure to vulnerabilities that can impact their ability to keep your data safe and your business processes running. Having the right data at the right time gives organizations a running start when a new vulnerability hits.
What strategies can be used to engage with third party vendors to reduce risks?
Knowing where to look is only half the battle. With dozens, hundreds, or even thousands of vendors supporting your business every day, it takes work to apply that knowledge when trying to proactively keep third party risk in check or, worse, when responding to a major security event that’s affecting the cyber landscape overall. A few best practices to start with:
- Setting expectations up front can ensure your third parties know what you expect when it comes to security performance. By letting them know what your bar is and how you’ll measure it, you are setting everyone up for success.
- Sharing data whenever possible provides your vendors with insight that can help them be more responsive to your concerns or requests. This is especially true when responding to a zero-day or critical vulnerability and time is of the essence. The more evidence you can bring to the table to help them, the more efficient the mitigation will be.
- Aim for efficiency on both sides by leveraging tools that make life easier for both you and your vendors. Is there an opportunity to drive outreach at scale across several vendors at a time? Use it. Is there a way for your third parties to share back efficiently across several of their customers at a time? Encourage it.
- As you drive remediation with third parties, use technology to streamline assurance. As you track remediation progress, leverage purpose-built tooling to report on mitigation efforts and outcomes in a way that can be quickly and easily digested by stakeholders across the business.