It’s our risk, not third party risk.
When it comes to third parties, business resiliency is found in the shared responsibility model.
Recently I talked with a third party risk leader at a company that manages an environment with 10,000 third parties. Yes, that’s an astronomically large number, but having hundreds to thousands of third parties is not unusual, in fact the number of third parties used by the average company is nearing 600.
In an ideal world, we can verify that each of our third parties is entirely trust worthy, but our third parties are just as susceptible to breaches as we are. Consider the names we’ve seen in the news recently: JP Morgan, Dropbox, Dell, Microsoft. These aren’t low-resource companies. These are companies that will pass your due diligence questionnaires. They have the compliance and security certifications and attestations. They have dedicated security teams.
What this tells us is that we have to take ownership of the risk of using third parties, regardless of the specific third party’s posture. To be clear, I am in no way suggesting throwing caution to the wind, because anyone can get breached. Rather, I’m suggesting that yes, you need to do due diligence on your third parties, but you also have to accept that asking a million questions isn’t going to protect you from breaches. Rather, you should focus on reasonable assurance of the third party’s posture, and focus your energy on the largest risks to the business. Third party risk assessment shouldn’t actually start with the third party’s posture, but rather, we need to understand and manage the inherent risk of using a third party to achieve our business goal(s).
Focus on what matters
Understand the goals.
What value is this third party providing our business. What problem are they solving or opportunity are they opening up?
Identify the impact to the business.
What data will this third party access, what access they will have to our systems, do we depend on them to provide our own services or products?
Inherent risk reduction.
I like to think about risk reduction before I get to assessing the third party’s posture itself. Why? Well, most third party’s are somewhat interchangeable. Not to dismiss the greatness of many companies’ services and products. The buying party has selected the third party for a reason, but, no matter which provider they have selected, with step 1 and 2 we have identified our goals in using the third party and the inherent risks of using a third party to these ends. We can assess this situation and make some choices to reduce risk before we dive into the third party’s posture. Let’s start with some questions we ask ourselves and the business stakeholder that wants to engage a third party for the purpose at hand.
Will we be sharing data?
Data minimization: what data does this third party need to achieve the goals?
Retention: as applicable, how long do we need the data to be available in the third party’s systems?
Redundancy and recovery: do we have backups of the data ourselves?
Will we be granting access to our systems?
Least privilege: how can we successfully achieve the goal while providing the least privilege possible?
Monitoring: if access will be granted to company data or systems, how can we monitor this access?
Access control: how can we maintain control over who has access to our data or systems and revoke such access if/when necessary?
Will we depend on the third party to provide our critical services and/or products?
If the third party becomes unavailable, how do we maintain business continuity?
It is only after we’ve taken these steps to understand the inherent risk of using a third party that we should assess the third party’s security posture or negotiate legal contracts. If we do not have this understanding then we find ourselves in a situation of misalignment. We ask questions that are not pertinent to the the relationship or the services. We worry about legal terms that are not applicable. We may even be able to reduce risk to a level that we don’t require vendor due diligence.
Some examples.
One company I am aware of scheduled a call that had a total of 6 high-level staff members that included 20 minutes discussing uptime SLAs. The company was demanding 99.99% uptime, while the vendor’s offer os 99.5% The vendor’s services in no way impacted the company’s availability. 5 hours of downtime would be at most an annoyance for a handful of staff members. 99.5% uptime meant the vendor was providing an SLA where that 5 hours, if it occurred, would result in credits to the company. 99.99% uptime is not provided by Amazon for most services, and allows for a mere 4 minutes of downtime in a month. The call cost the company more than the 5 hours of downtime would. If the company asked the stakeholders up front- is this vendor critical to our business continuity/availability, this conversation likely wouldn’t have arisen.
In another case, a sales-ops team had a legitimate need to backup CRM data and they wanted to use a third party to relieve any need to engage the internal engineering team. Initially, the intention was to backup all the CRM data, which was sensitive data. After discussing the need, it was determined that in point of fact, no PII needed to be backed up, as in the event that the CRM did have to be recovered, PII could be backfilled from existing trusted internal systems. This reduced the risk level.
Align risk management with business context
Recognizing that no third party is immune to cybersecurity threats, organizations should prioritize assessing the potential impact on business operations and data security before delving into evaluating a vendor's security posture. By focusing on risk reduction strategies tailored to specific business goals, such as data minimization, access control, and business continuity planning, organizations can mitigate potential risks effectively. Ultimately, by customizing due diligence efforts and aligning them with the broader business context, companies can enhance their resilience against cyber threats and ensure the security and continuity of their operations. The call to action here: focus on understanding inherent risks, implement tailored risk reduction measures, and foster alignment between security and risk efforts and overarching business objectives.
Next time: As noted, this addresses the first steps in third party risk management. Next time, we’ll talk about assessing the third parties.
https://locktivity.com