Perspectives: The Third-Party Risk Consequences of Outsourcing

Jun 06, 2019 | by Patrick Potter

The Gartner Top Security and Risk Management Trends1 research note states that “Some organizations may choose to completely outsource their security operations,” which got me thinking about the third-party risk those organizations will need to manage if they make that choice. 

Evolving Third Parties
Innovative technologies and new security threats are creating new types of third parties – from security operations outsourcing partners, to next-generation security startups, to providers of managed detection and response (MDR) services. Organizations must determine how to work with these third parties to augment their IT and security operations to combat risk; and must do so while retaining control of their own business-centric security activities. You can outsource the activity but not the risk.

New Digital Risks are Resulting in Skills Gaps
Managing digital risk today, including third-party risk, is stretching the abilities of internal security and risk management teams because they may not be skilled or experienced with new technologies (e.g., cloud, IoT, OT), evolving security tools and approaches, and risks introduced by new, complex third parties. To augment their internal team’s abilities, organizations must invest in centers of excellence that may include internal and external resources; outsource to technology/services partners; tap into the gig economy to find “just in time” resources with specific skills or experience; or hire resources that understand these new third-party risk challenges. These untapped resources might be outside the typical avenues organizations are accustomed to hiring from.

Third-Party Risk Crosses Risk Domains
Third-party risk can be an individual risk, or it can include multiple risks that third parties may introduce to your organization. For example, let’s assume a very critical third party your organization uses experiences a system outage due to a breach. Because their systems are inaccessible, they cannot provide services or products to your organization. As a result, you miss important customer deadlines, and that results in legal action or financial losses. Maybe the breach also infects your systems and disrupts some critical internal online tools, or you lose critical customer data, which results in regulatory non-compliance. This example shows that resiliency, data privacy, legal, financial and regulatory risks can all stem from your use of third parties. The ripple effect is far-reaching, making it critical that you integrate your risk management efforts across your domains of risk (e.g., business resiliency, risk management, compliance, third-party governance, etc.).

Frameworks and Approaches Tied to Business Outcomes
Frameworks and approaches to manage risk, including third-party risk, are critical because they provide the guardrails needed to manage risks consistently and within the bounds of the organization’s risk appetite. Having said that, managing any kind of risk, including third-party risk, is not a perfect science, and approaches need to balance “friction” from the process with the level of risk being managed. Above all, risk appetite needs to be tied to business objectives and outcomes, and unite the practical and tactical actions in managing risk to the strategic objectives of the organization.

Also, because of the increasingly related nature of business and security risk, a data security governance framework is recommended. The framework should include developing new and updating existing policies regularly to keep up with rapidly changing third-party risk. Periodic gap analyses against compliance with the frameworks are critical to let you know of areas that need to be improved; this is an important part of managing the third parties, but it often falls by the wayside. Finally, any approach to managing third-party risk must also consider regulatory and privacy challenges and changes that come with new partners.

Summary
What digital organizations are experiencing today in their use of third parties are not “yesterday’s risks”. Take a look at the Gartner study1, which not only highlights top security and risk management trends, but also those that may indicate longer-term trends to come. They are new and diverse and becoming more dynamic and complex with the addition of innovative technologies and partners. As a result, they require a dynamic mindset and approach to not only properly get in front and manage them, but also turn them into a competitive advantage for your organization.

_____________________

1 Gartner Top Security and Risk Management Trends, Peter Firstbrook, Brian Reed, Sam Olyaei, Gorka Sadowski, David Mahdi, Prateek Bhajanka, Earl Perkins, Published 21 January 2019

# # #

For more RSA perspectives on top trends in security and risk management, register for a webinar June 13, when Ben Desjardins, vice president of product marketing for RSA, and a panel of expert guests will present their perspectives on the Gartner Top Security and Risk Management Trends research note.

Join the #TalkingDigitalRisk conversation on Twitter and social media by following @RSAsecurity

Author: Patrick Potter

Category: RSA Fundamentals, Blog Post

Keywords: Digital Risk, Digital Risk Management, Cybersecurity, Gartner