Securing the Digital World

Who to Trust? Effectively Assessing Third-Party and Vendor Risk

Jan 27, 2016 | by RSA |

In many organizations, cybersecurity is maturing from a purely technical discipline into a component of enterprise risk. That means companies should assess infosec risks against the same broad framework used for other enterprise risks.

This is a great development. But there's a catch.

Just because businesses need to assess all risks against a common framework does not mean there is a one-size-fits-all risk-assessment tool. That is particularly true when it comes to effectively assessing third-party and vendor risk.

It's important to assess the risks third parties and vendors pose across the board, and to do so consistently. But the risks posed by, say, outsourcing HR functions (or facilities security) are fundamentally different than those posed by technology vendors such as software and cloud providers.

For example, it is one thing to require that your facilities team be licensed and bonded, and enforce background checks on all staff. It is an entirely different matter to mitigate the risks posed by technology providers. The risk spectrum is broad-and continually changing-as new threats emerge. Further, the risks posed by IT vendors often operate on compressed timeframes that are at odds with slow, methodical corporate risk-management processes. Industry experts estimate that it takes most companies eight to ten weeks to resolve a vulnerability. That is far too long in the cybersecurity universe, where vulnerabilities can be exploited in minutes to hours, not days or weeks.

The upshot? IT and infosec professionals need to pay special attention to the risks posed by technology providers. Since risk is data-driven and changes constantly, IT risk management practices need to be up to par and ready to protect companies against third-parties.

What should infosec professionals be doing to avoid unnecessary third-party technology risk? Some suggestions:

  • Ensure that all providers pass a comprehensive security test, including vulnerability testing, before engaging with them.
  • Encourage providers to work with third parties to acquire security credentials as a condition of engagement. This can help not only certify suppliers, but also assist enterprise organizations in developing compliance and escalation processes.
  • Automate the process of vendor certification and ongoing vulnerability management. If you don't have a tool for this yet, consider getting one. There is a host of players in the IT Vendor Risk Management space. As you are assessing such automation tools, look for integration with your current and planned infrastructure; comprehensiveness of data sources; and ability to respond and recommend remediation in real time.
  • Be sure to include a special focus on cloud providers in your strategy. The Cloud Security Alliance is working on developing standards and best practices for cloud providers and customers alike.

The bottom line? Assessing third-party risk is important. There are particular concerns when it comes to IT vendors, which can inject unique vulnerabilities into an organization. Security professionals should be sure to have a framework for assessing these risks that aligns with overall enterprise risk, but also addresses specific concerns posed by IT vendors.