How One CISO Tackles Third-Party Risk Management

We recently sat down for an interview with a third-party risk management thought leader with the goal of understanding how they see third-party risk in the context of other security and risk considerations. In this blog, this CISO offers their perspective on what it takes to build a sustainable third-party risk management program. Because of the opinions offered here and because risk and security is a sensitive topic, this CISO asked that their name and company name not be used.

How has third-party risk management evolved? How has that impacted your overall risk surface?

What we’ve seen over the last 10-15 years is that – through digitization – ecosystems have rapidly expanded to include more third parties. In the past they provided goods and services onsite. But now, the model has shifted to be more “as a service” in the cloud and that expands your risk exposure. You end up giving up a little control in the name of expertise and cost reduction. But you have to be careful and not fall into a trap – outsourcing the risk is not necessarily outsourcing the accountability.

What is the biggest challenge you face in assessing your vendors and other third parties?

What I look for is whether my third parties adhere to the same principles that I adhere to, which is rarely to never the case. The problem is with scope. They answer a question in their risk assessment questionnaire, but don’t answer the question within the scope. For example, when I ask a third party if they encrypt data “in motion and at rest” and they answer “yes,” then that’s it. It requires much greater effort and context beyond that simple question to get to the bottom of the issue, and it’s hard to validate. That doesn’t scale.

Speaking of validation, what about external measures for validating whether controls are in place?

That depends. If you’re talking about scanning and scoring tools, I find they’re typically wrong. All of them produce different data with no context or transparency. It’s all “secret sauce.”

What kind of reporting do you have to provide to the board? What do they care about?

This will vary by organization, but it’s all about balancing between what you want them to care about and what they actually care about. Approach every board-level conversation from a business angle, identifying where the risks to the business are – not the security risk or incident itself, but what the actual downstream implications are of that risk or incident.

The problem is that there persists a chasm to cross between what risk really looks like and how to communicate it in a meaningful way. That problem is rooted in accountability; conceptually this isn’t any different than with financial reporting. You have to apply the same rigor and approach to security risk reporting as what’s done for financial risk. I think most boards aren’t getting that today and, until they do, those organizations will suffer from a gap in understanding. Remember what Enron did for financial reporting? I sincerely hope it doesn’t take a “cyber-Enron” type of incident to wake boards up. However, if you can’t define the harm, then you won’t get the buy-in.

What about privacy? Aside from “business resilience” or “continuity” as a result of the COVID-19 crisis, “privacy” has dominated third-party conversations of late.

Between CCPA and other related bills, privacy will drive discussions on accountability. That is the most hopeful outcome from any legislation: accountability. That level of enforcement must increase scrutiny and force companies to look at it more seriously instead of just “checking the box.”

The problem is that laws are drawn inside borders, but the internet has broken borders. What law governs the internet globally? It doesn’t apply to physical boundaries. Conceptually, it’s different than how this country was built.

What does the ideal third-party risk management program look like to you? What are the right components or elements?

First off, go to the business and document what is important to them. Determine if their needs are aligned with your company’s mission and goals. Most importantly, take the business’ advice holistically. Then, list out the X number of most important things, prioritize them, and go back to the business with a range of risks they are willing to tolerate. This is the beginning of governance.

Once that governance framework is defined, look at third parties and how they measure up against the risk the business said it is willing to tolerate. Then – and here’s the typically labor-intensive part – find a way to do that on an ongoing basis. Determine what information is needed to do that, if it applies to all third parties, and how it will be managed over time.

Having the right governance structure in place – with ongoing education transparency – is critical for long-term success.

When you talk to other organizations, what guidance do you give them? Where to start, how to prioritize, etc.

You must start by understanding what’s important to the business, like I talked about in the previous question. Once you know what’s important – and have the communications flowing both ways between you and the business – you have a firmer foundation to build off of and can conduct due diligence and make risk-based decisions based on that.

Also, remember that it’s not just about assessing financial risk to your business – you must also consider data privacy. You have to have those conversations at the very top. Decision and accountability lie with the business; not with security. Security’s job is not to accept risk – my job is to do the assessment. You have to educate the business on what risk means, look at data, ask questions, and inform them so that they can accept a risk appetite appropriate to the business.

What keeps you up at night?

I’m a CISO. I haven’t slept in years 😊. Seriously, though, I regularly consider whether I have done everything I can reasonably do to deliver on the mission. For example, if something happens, can I go to the business and confidently report on what happened, how, and what we’re doing about it? I long ago accepted that there is no job security as a CISO, but I have to be OK with myself that I gave it all I could and am controlling what I can control. Now, those wild vendors of mine are a completely different story…

For more on how Prevalent can help address your third-party right management challenges, contact us today, download our best practices guide, or take a quick online assessment to help you determine your level of TPRM program maturity.