In the movie ‘After Earth’, Will Smith asks his son Kitai to “take a knee” whenever he is out of ideas during a crisis. This ‘forced break’ amidst commotion provided the mental clarity and logical rebooting that Kitai needed, so that he could overcome challenges and obstacles and push his abilities. The current COVID-19 pandemic has forced the entire planet to “take a knee’. Organizations have been compelled to pause, take a mental break, and utilize this opportunity to ideate and formulate the right strategy to propel them ahead when the horizon becomes clear. Managing cybersecurity risks in the vendor ecosystem is one such strategy that can be employed to increase productivity, optimize contracts and assets, and enhance customer trust, to gain a competitive advantage.
Businesses have realized the importance of suppliers, and the impact that non-availability of critical and urgent products and services can have on their top-line, brand image and employee satisfaction. Considering the rise of cybersecurity threats and attacks banking on the Coronavirus, the security and availability of the third-party ecosystem cannot be taken lightly. Enterprises need to consider third-party risk management as one of the top priorities of their cybersecurity program, because customers do not regard the enterprise as a separate entity from its third parties. The investments in vendor security risk management should be a business enabler.
Key considerations to revamp third-party risk management capabilities and gain the most out of the program are listed below:
Conducting Diagnosis and Capability Assessment
An in-depth diagnosis of ‘As-is’ third-party risk management capability of the organization will identify the scope of improvements in people, process, and technology to augment the maturity of the third-party risk management program. Such an assessment can provide insights into queries like:
Closure of the gaps identified from such a maturity assessment will lead to optimization of cost, standardization of efforts, flexibility, and improvement of performance.
Establishing a vendor data map
There are no regulations that mandate creating a vendor data map, unlike what GDPR prescribes for personally identified/identifiable information. To evaluate the security posture or risk of vendor relationships, organizations need to know how many third parties they have, who the third parties are and the relationship of the vendors to organizational functions, assets, and processes. It presents a challenging situation for CISO to receive notifications from an unknown third party that they experienced a breach affecting the enterprise! A dynamic supplier information database can act as a single source of all suppliers within the organization. It can have linkage with procurement, business continuity, risk and compliance, and privacy office and business lines.
Creating a better experience for vendors participating in the assessment process
Vendors are inundated with security questions from multiple organizations consuming or going to consume their products and services. In responding to the assessment questions, probability for human error increases and the response review cycle takes more time and effort.
Adopting Zero trust model for third-party security
In 2013, why did the HVAC vendor of the breached retail organization have access to the retailer’s billing and project management systems? Provisioning access of third-party personnel to organizational applications and data on a need-to-know and least privilege principle lays the foundation of zero-trust strategy. These privileges should be granted post approval from both business and the CISO office. Access granted should be monitored and immediately decommissioned on change of vendor personnel role or end of contract.
Real-time monitoring of vendor risk
Point-in-time risk assessments no longer provide the right information for an effective TPRM. A vendor triage process determines the frequency and rigour of the vendor security assessment questionnaire. Instead of determining a snapshot of the vendor security posture annually, organizations are shifting to technology enabling real-time monitoring and treatment of risks such as unsafe authentication mechanisms, vulnerable applications, exposed sensitive data and potential phishing and Denial-of-Service threats across their high-, medium- and low-risk vendor ecosystems. Near real-time identification of a geo-political risk or data leakage alert impacting vendors can shorten the path to mitigate risk and assist in effective decision-making.
Automating the third-party risk management process
A solution that provisions the vendor database and automates end-to-end workﬂow for assessing and managing third-party risk over the lifecycle of their relationship can be a good investment choice. Such third-party risk assessment solutions have the capability to incorporate supplier security insights from external security score providers and ingest feeds from independent external sources to analyze disparate sources of threat and risk scores using AI and ML. Dashboards and reports can provide visibility into vendor performance trends, open issues and risk across the vendor ecosystem, thereby enabling faster risk-informed decision-making.
This pandemic will create opportunities for organizations “taking a knee” to ideate and formulate the right third-party risk management strategy. Organizations will take progressive steps for a consolidated, leaner, efficient and effective third-party risk management system, considering these changes brought on by the current COVID-19 scenario:
Bhaskar Maheshwari is an industry-recognized cybersecurity consulting professional. For the last 13 years, he has been delivering business value to multiple clients across the globe in the fields of cybersecurity, risk & compliance, data privacy, and business resiliency. Bhaskar is part of Wipro’s Cybersecurity Consulting & Advisory Practice.
Bhaskar has an MBA and a Bachelor of Engineering degree in addition to being a TOGAF 9, CISA, CISM, MBCI, ITIL Expert, BS25999LA, CPISI, COBIT F, CBCI, PMP and CPEGP professional.