Third-party security management and monitoring have been a focus of many organizations’ information risk and security and vendor compliance programs for several years, but they have yet to yield expected results. The recent increase in material security incidents experienced by organizations, including attacks against third-party service providers and capabilities versus direct attacks against the organization itself, demonstrates a shift in attack strategy. Adversaries consistently adapt and adjust their methods, tactics, approaches, and capabilities to match and defeat the defensive capabilities of their targets. Adversaries have realized that while their target organization may be strong in internal risk and security activities, their weakness lies in the extensive use of third parties who are not as strong in their capabilities and controls but have direct or indirect access to the target organization’s data and information infrastructure. As a result, these third parties can be used as a gateway to successfully attack primary targets.
The focus for third-party security programs for many organizations has shifted from effectiveness to efficiency due to the sheer volume of third parties that organizations share sensitive information with or use as service providers to support business operations. An unfortunate outcome of this process has led to some organizations becoming complacent in their approach to third-party security risk management and monitoring. Instead of consistently improving and maturing third-party security risk management programs, an increasing number of organizations have instead adopted the use of industry certifications, software platforms, and/or engaged third-party service providers to supply the core functions of organizational programs and activities. As a result, many organizations have given their inherent trust to the methods and practices of these capabilities to effectively identify, manage, and monitor third-party security risk. Unfortunately, these platforms and providers are only effective if the organizations that are using them are intimately involved in governing, maturing, and collaborating with vendors regularly to ensure the information risk and security expectations and requirements of the organization are being appropriately identified and met.
There are five key considerations for organizations when trying to avoid complacency in third-party security management and monitoring:
- Avoid using third-party certifications as a replacement for comprehensive reviews—In recent years many organizations have attempted to reduce dependence on third parties by accepting certifications such as SOC) and International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) 27001 as proof of adequate and appropriate security controls and capabilities rather than conducting their own risk and security reviews. These industry certifications, among other comparable certifications, indicate an organization’s intention to follow good security practices. However, certifications alone do not provide adequate evidence that the organization can identify and manage current and emerging information security risk. The implausibility of using these certifications as a barometer of effective and capable security measures can be found in the sheer volume of security incidents and data breaches that have recently impacted organizations who maintain these certifications. This is not to suggest that certifications are not a useful starting point. Rather, they should not be considered as an authoritative demonstration of effective information risk and security programs and capabilities or a replacement for a thorough risk assessment, especially for high-risk vendors. Instead, they should be viewed as a demonstration of the intention and efforts of an organization to implement security processes, capabilities and controls.
- Go beyond the questionnaire; require and review evidence—The current commonly adopted third-party security risk assessment method is to use either self-generated or system-based questionnaires that use subjective responses from the participant. These questionnaires are often supported by automated scoring algorithms that are based on static answers (i.e., yes/no, 1-5 range of capabilities, multiple choice), which limit the ability of the assessing organization to probe into the answers provided beyond the use of expanded structured questions if the initial answer raises concerns. Even when the system allows supporting commentary, there is no easy way for automated scoring to interpret the value or accuracy of these responses. While this method can be somewhat effective for baseline areas of interest, for detailed areas of review, they can often be limiting. One way to improve this capability is to require supporting evidence to be provided by the organization being assessed where possible and appropriate (based on the assessing organization’s perceived inherent risk level or expectation of effective controls and capabilities). This helps to prove not only the existence of but the supporting methods, processes, and capabilities to ensure they are effectively implemented. If an organization provides evidence, it is important that it be adequately assessed and reviewed to ensure it meets the expectations of the assessing organization.
- Assess the culture as well as the controls—, it is important to assess the culture of the third-party organization as well as the administrative and technical controls in place. One key cultural indicator of the health and capability of the information risk and security programs and associated capabilities can be found by identifying if these programs are considered a strategic advantage to the third-party organization or more of a utility. Examples of key questions include but are not limited to:
- Does the information risk and security program and staff report to a technical organization where the program’s scope may be limited to technology areas, potentially leading to conflicts of interest, or does it report into a risk management function within the organization where its leadership has equal authority as technical leaders (i.e., chief information officers [CIOs] and chief technology officers [CTOs])?
- What are the current and historical budget characteristics for information risk and security for the organization? Has budget and staff increased, stayed stable, or decreased in the previous three years?
- Assess the strength of information security leadership in the organization. Does the information risk and security leadership raise security concerns to the appropriate parties and force their organization to take actions to effectively mitigate the raised issues, or are they limited to communicating issues with no real authority to address them?
- Assess the organization’s assurance methods and practices for security governance and oversight—When assessing a third-party organization’s risk and security capabilities, ensure you assess their methods and practices for security assurance. Does the organization follow a trust but verify approach to security, or does it assume the effectiveness of capabilities and controls based on assertions from their respective owners? One way to review this is to request testing and monitor plans for key security capabilities and controls and request to review the outcomes of these activities. Mature and effective information risk and security programs will develop and maintain an information security risk register that identifies and assesses the materiality of deficiencies and can develop risk treatment plans for them. Ask to review the organization’s security risk register and associated risk treatment plans and monitor progress to ensure they are in line with the assessing organization’s risk tolerances and expected timelines.
- Develop and maintain ongoing relationships and communication channels with key third-party service providers and vendors —The first time a security representative or leader of an organization speaks with the security contact or leader of a key third-party vendor should not be during an incident response, or as a reaction to an incident notification. It is easy for third-party vendors to fill out electronic questionnaires with information that may or may not be completely accurate to pass a risk and security review when they have no relationship with the risk and security professionals at the assessing organization. The motivation for some providers is to pass the assessment rather than ensure they are effectively protecting the interests of the assessing organization. Through developing trustworthy relationships, both organizations and vendors work together to achieve information risk and security objectives to foster productive interactions and robust security controls.
If the current approach to third-party security management and monitoring was effective, the frequency and material impact of security attacks and breaches would not be increasing and would instead be anomalies. Unfortunately, many third-party providers have become complacent in their approach, focusing more on passing reviews rather than providing adequate and appropriate information security capabilities and controls. By following a risk-based philosophy where certifications and responses to security questionnaires are viewed as indicators of capability—rather than authoritative representations of an organization’s capabilities— assessing organizations can improve and mature their approach to third-party security management and monitoring.