@ISACA Volume 21  16 October 2019

Third-Party Risk Management Vs. Provider’s Accountability

By Antonio Ramos Garcia, CISA, CRISC, CISM, Jonah

Lately, I have been reflecting on the need to assess third-party risk and how other business sectors have mitigated this risk in the past. I have concluded the origin for this need is what economists call a “market failure.”

The first issue worth noting is that our need for third parties to guarantee the security of the goods and services that they provide us with is no different than our need for assurance that products we buy from an assembly line meet quality standards, or our need to trust that the food we buy from the grocery store is safe to eat. We are facing a trust issue.

We need to be able to trust that third parties are providing organizations with goods and services that meet the level of quality that organizations expect. Economists say that the best way to trust is to recognize that perfect information exists in the market. Meaning that the consumer of a product or service can know the characteristics of the product or service before purchasing it and can make a decision that considers all relevant factors.

But what happens when perfect information does not exist? Basically, markets need to develop alternative mechanisms to provide it. And here is where we can find a big difference in how other sectors have solved this market failure compared to the cybersecurity sector.

In other sectors, the answer has been accountability. If a car’s brakes fail under warranty, the vendor may be liable to replace them and could have to bear the costs associated with a car accident. Those who put a product on the market must take accountability for the behavior of their product in the case that it fails.

But what happens in the cybersecurity sector? It seems that since we have failed to establish a system to measure the level of cybersecurity around a good (product or service), we have subsequently given up on defining a system of responsibility and accountability for third parties. As a result, we must evaluate each product or service individually before using it, channeling “trust, but verify.” But by evaluating each good on a product-by-product basis, this brings us closer to what economists predict about markets with imperfect information: market collapse. Since customers cannot trust that goods have the level of security they expect, they assume they have no security and, as a consequence, vendors that do produce secure goods are expelled from the market due to higher production costs.

Imagine for a minute we are back in the time of the ancient Romans. Leaders may have had to designate a food tester to ensure that their food was not poisoned. That is essentially what we are doing today in cybersecurity. We cannot trust our vendors, so we must assess or audit each provider to check if they are trying to sell us a product with a low level of security.

It is urgent that the cybersecurity market develop objective and transparent assessment mechanisms that allow customers to trust vendors. This would allow deceptive vendors to be expelled from the market instead of trustworthy ones.

Returning to the economy comparison, financial markets have used a rating mechanism for centuries as a tool to preserve transparency. We should aim to emulate this mechanism in the cybersecurity sector, especially if no one is developing a different solution.

Antonio Ramos Garcia, CISA, CRISC, CISM, Jonah, is founding partner and chief operation officer (COO) at LEET Security Rating Agency, Spain.


What We Can Learn About Cybersecurity From Game of Thrones


Source: gremlin;
Getty Images

Even after cybersecurity professionals have built “walls,” they can become obsessed with adding newer, bigger layers of defense. If you have watched Game of Thrones (GoT), you may notice this attitude is similar to the behaviors of those who held power in the show after “the Wall” was built to protect the Seven Kingdoms. The House Stark mantra, “Winter is coming,” which was a warning and a call to remain vigilant, can be related to the vigilance we must adhere to in cybersecurity today.

To glean lessons from GoT that can apply to today’s security landscape, attend the “Winter Is HERE! Cybersecurity Lessons From GoT” webinar presented by ISACA. This webinar, which takes place on 29 October at 11AM CDT (UTC -5 hours), will deconstruct the current security landscape, identify tools best suited to protect an organization’s data, review the types of threats your organization may face, and establish the frameworks and resources that define best practice for your organization’s safety. ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Pam Nigro, CISA, CRISC, CGEIT, CRMA, will lead the webinar. Nigro is the senior director of information security, focusing on the governance, risk management and compliance (GRC) practice, at Heath Care Service Corporation (HCSC); an adjunct professor at Lewis University (Romeoville, Illinois); an ISACA board member; and chair of the ISACA Chicago (Illinois, USA) Women’s Forum (SheLeadsTech). In her current position, she is responsible for information technology/information security risk and compliance testing, and she has inaugurated an automated IT and cybersecurity controls/testing/analytics program for Agile/DevSecOps. In this webinar, Nigro will use her vast cybersecurity and compliance experience coupled with her love of GoT to help you identify best cybersecurity practices for your organization in a fun new way.

To learn more about this webinar or to register for it, visit the Winter Is HERE! Cybersecurity Lessons From GoT page of the ISACA website.


Improving How Information Security and Risk Management Work Together


Technology is essential for organizational success, but as technology and innovation evolve, risk grows. The increase in risk makes transparent risk management vital, and regular communication between the IT and risk management functions is required to protect enterprise assets and maximize the value of technological investments. That said, sometimes these functions do not appear to speak the same language, if they communicate at all.

ISACA and the Risk and Insurance Management Society (RIMS) have set out to bridge this communication barrier by developing a joint report, Bridging the Digital Risk Gap: How Collaboration Between IT and Risk Management Can Enhance Value Creation, which guides the IT and risk management functions on collaborating and communicating more effectively to maintain organizational safety. This report helps risk management and IT professionals speak the same language as they strive to minimize risk associated with data and technology while also creating an overall organizational strategy to maximize technological value. It also stresses transparent, nimble and timely decision-making that is inclusive and representative of enterprise needs, and the importance of clearly defining roles, accountability, and decision-making authority.

To learn more, download this complimentary ISACA white paper from the Bridging the Digital Risk Gap page of the ISACA website.


Participate in Hands-On Experiences and Gain In-Depth Technical Knowledge at Geek Street


At this year’s ISACA and Infosecurity Group collaborative event, Infosecurity ISACA North America Expo and Conference 2019, you may find yourself on Geek Street. Geek Street is a new series targeted at technical professionals and will feature in-depth technical presentations and immersive, hands-on experiences. The Geek Street sessions will explore research into exploits, vulnerabilities, security risk and threats. Geek Street is also unique because it is on the expo floor, and a full conference pass is not required to attend the sessions.

Geek Street sessions will provide attendees with valuable industry insights and practical knowledge that they can apply to their work. Sessions include:

  • “With Friends Like These, Who Needs Enemies?”—John Shier, senior security advisor at Sophos, will explore how individuals and small organizations are unwittingly becoming attack vendors for larger enterprises. Shier will demonstrate how and why supply chain compromise attacks work and how to prevent, detect and mitigate against this continually evolving threat. After attending this session, you will also understand why government secrets are no longer the only compromise, why small businesses have become targets, how individuals can become vulnerable and how managed service providers (MSPs) can also get caught in the mix due to privileged access.
  • “Cyber Hunt”—Frank Downs, director and subject matter expert (SME), cybersecurity practice at ISACA, and Dustin Brewer, manager, cybersecurity technical content at ISACA, will expose participants to the Cybersecurity Nexus™ (CSX) Cyber Hunt, a live competition that tests participants’ skills at responding to a multipronged attack while simultaneously conducting a penetration test against organizational assets. After attending this session, you will better understand asset identification and location via scanning technologies, how to identify vulnerabilities on a system of responsibility, how to harden systems of responsibility, elements of conducting a penetration test, and elements of responding to an incident or attack.

For more information on the 16 Geek Street sessions and opportunities to earn up to 37 continuing professional education hours (CPEs) at the Infosecurity ISACA North America Expo and Conference, visit the Infosecurity ISACA North America Expo and Conference 2019 page of the ISACA website.