Published on the 26/03/2024 | Written by Heather Wright
Don’t be a super hero…
When it comes to successfully driving third-party cyber-risk management outcomes, don’t waste your time with bespoke or customised questionnaires, or even assessing third party cybersecurity postures.
According to Luke Ellery, Gartner VP analyst, they don’t result in positive outcomes.
“Get the business to do the work. Let them make those determinations.”
So what does?
Speaking at the Gartner Security and Risk Management Summit, Ellery outlaid a three-step plan for security and risk management leaders to address emerging third-party risks and establish effective controls to build a resilient third-party ecosystem and avoid business disruption, in a seemingly ever-increasingly uncertain world.
And it starts with passing some of the risk work off to stakeholders.
“You have to identify which risk matter to your business. An independent assessment of your third-party risks is useful, but the risks that matter to you depend on your industry, your organisation and your risk appetite,” Ellery says.
“That means we need to engage with the business.
“Get the business to do the work. Let them make those determinations.”
Gartner research has identified 16 risk domains, of which 10 are most important for IT purchases – data privacy, operational/continuity, security/cyber, ESG/sustainability, financial, geographic, corruption, performance, regulatory compliance and vendor strategy.
Of those, cyber security and operational risks – around ensuring an organisation is able to continue operating if there’s a failure or outage related to a third party – come up the most.
“We are seeing cybersecurity and risk changing from focusing a lot on technology to really focusing on the business. This is a good opportunity for you to engage the business to determine which of these risk domains matter to our organisation.
“What laws or regulations, risks or threats are they worried about? Which of these domains are they worried about?”
But Ellery urged cyber security teams not to try to be heroes. Instead, he called on them allocate risk to the teams responsible for the risk, rather than cyber security teams taking everything on.
Gartner’s 2023 Reimaging Third Party Cybersecurity Risk Management Survey, which involved interviews with 60 CISOs and a survey of 376 senior executives involved in third party cybersecurity risk management, that approach of working closely with other third party risk functions to redirect responsibility for non-cybersecurity third party considerations proved a winner, resulting in an 18 percent improvement in effectiveness.
“We need to ask the questions, but we can’t be taking ownership of all these things,” he says.
Ellery says typically, in identifying risk parameters, an organisation will look at how critical data is, whether there is access to sensitive data, and whether there is a critical business process being supported there.
“We need help from the business to be able to build out these parameters.
“But then we also need to determine what the tolerance levels are – what are acceptable recovery time objectives? What are acceptable data loss positions?”
Defining those is, however, not enough. They need to be documented and then ratified by the organisation’s board or risk committee.
Ellery admits that’s partly to provide political cover for the cyber team, but says it’s also to empower the teams doing risk management day to day, such as legal and procurement.
“Procurement teams will often be challenging vendors on behalf of other risk and security teams by saying can’t deal with us because you don’t met these thresholds. By having the board ratify that you are giving them leverage so they can say unless you sign up to these things you are not going to get through.”
Work out with your business owners which vendors are mission critical, which are business critical, which are important and which are deferrable. Then work with the risk owners to identify risk controls such as security/risk-control programs, encryption or MFA, business continuity plans/backup, or contract clauses.
“It’s a nice framework that sets you up for success,” he says.
Different types of third parties will come with different risks, and require different risk controls, he notes, and with controls not foolproof, multiple controls may be needed, from technical controls such as encryption, backup, firewalls and MFT, through to process controls, contracts, compliance (SOC, ISO, regulatory and legal) and third party (to the third parties) controls such as remote backup, insurance and escrow.
Ellery says process controls, such as procurement, due diligence and risk acceptance are ‘extremely effective’.
“Procurement is a fantastic process that can stop things from happening at the start of the process. Often business falls in love with shiny new tools. You can set up procurement to have pre-qualification criteria so you don’t even get to see those vendors that don’t meet your requirements – say they don’t have encryption, backup, SOC 2.
Having continuity plans for third parties has been shown to realise a 43 percent improvement in third party cyber risk effectiveness, according to Gartner. But Ellery says planning involves more than just having a plan in a contract.
He urged attendees to know who key contacts are and what communications channels to use, along with roles and responsibilities and having a definition of success – and to test and test again on a regular cadence.
“Conducting third party incidence response planning – for example a playbook or tabletop exercise – results in a 42 percent improvement in effectiveness.”
There will also be situations where you don’t have the vendor, he notes. “We need to plan for this and the first part is identifying who are mission critical vendors.”
Identify contingency plans for those vendors, again working with your business. That could include identifying alternate vendors and having a contract already negotiated with them, or having internal capabilities or short term workarounds in place.
Ellery noted that if a new vendor is lined up for emergency, you will still need contractual clauses with the prime vendor, such as disaster recovery, transition assistance, unwind provisions and step-in rights to enable your team or consultant to take over whatever the failing third party was doing.
The Gartner survey found having a clear third-party off-boarding strategy resulted in a 42 percent improvement, Ellery says.
Rounding out his advice was a call for companies to build maturity in monitoring internal information, and to build stronger relationships with vendors.
He cited the example of a company who, through monitoring internal information, saw that offshore developers were downloading inappropriate tools and accessing websites that were a risk from a security perspective. Vendor management action failed to resolve the situation, so the company implemented a new control in the form of VDI, hardening the environment to prevent the inappropriate actions.
“Without monitoring, they would never have discovered that.”