Where are the opportunities for the cyber security vendor management processes to improve? Does it stem from traditional risk assessment and risk management GRC tools? Or does it stem from third party vendor management traditions.
In this article we will explore:
Third party risk management program
Traditional risk management
Cyber security risks
Supply chain challenges
TPRM opportunities to improve
Third party risk is exactly that. It is an event that has some impact on the objectives of your organisation that is sourced from a third party. The organisation objectives are many and varied dependent on the direction of the board and somewhat linked to the industry that the business is operating within. For the purposes of discussions, the organisational objectives are:
Build and maintain a strong brand and reputation
Deliver products and services with reliability and integrity
Maintain business successful operations over time
With the traditional risk assessment and risk management GRC tools, these risks are registered. So according to ISO 31001 this is the first step. The identification steps purpose is to find, recognize and describe risks that might prevent an organization achieving its objectives. These activities are typically conducted by a risk team or subject matter expert with a conscious approach to managing risk.
In terms of vendor risk and third party risk this might be the procurement department; in terms of cyber risk this might be the team responsible for defending against cyber threats. Either way this key activity is required to be done regularly with access to information that is timely.
The following steps in the traditional process are also key and looked at together to analyse and deliver the outcomes of the analysis in the evaluation.
The analysis of risk is much of an art. The objective is to comprehend the nature of risk and involves a complex interaction of risk sources, consequences, likelihood, events, scenarios. Risk analysis is often influenced by opinions, biases, and perceptions of risk which can add to all sorts of things happen ie inconsistent evaluation, tainted results. These outcomes tie into the evaluation of risk which is to consider established risk criteria and take into account the context and the actual and perceived consequences
With variations in the analysis this evaluation process can quickly become flawed. Also, the the nature of managing third party risk, with its uncertain events can be difficult to quantify. This can be an issue when analysing events with severe consequences. In such cases, using a combination of techniques generally provides greater insight.
Risk analysis provides an input to risk evaluation, to decisions on whether risk needs to be treated and how, and on the most appropriate risk treatment strategy and methods. The results provide insight for decisions, where choices are being made, and the options involve different types and levels of risk.
So cyber security risks can be analysed in much the same way and using traditional risk management techniques. However with the dynamic nature of the threat landscape for cyber security, the traditional risk management techniques do not adapt well. The resulting outcomes of such an approach is the aggregation and dilution of the risk register. When this happens begins the introduction of blind spots. So even when a well management traditional risk approach is operated, there are areas of cyber security that are not adequately addressed - these are the blind spots.
Many high profile data breaches have occurred which highlight this. Large organisations have fallen victim to this and this could have something to say about the traditional risk management approach. So, organisations that are in the industry of financial services, critical infrastructure, health, logistics or manufacturing look out because a recent Ponemon found some startling statistics. The report found:
54% of organisations do not have a comprehensive inventory of all third parties
65% did not know which had access to their most sensitive data
63% admitted their organisation did not have visibility of the level of access and permissions external users
54% responded they were not monitoring the security and privacy practices of their service providers
59% had not centralised control over third parties
And all because of the complexity and number of third-party relationship. Yes, managing third parties is complex and difficult - add the complexity of cyber security and most would prefer to bury their head in the sand. Managing third party risk in cyber security requires an evolution to the TPRM (third-party risk management) approach. And not just from a process perspective. And not just from a technology perspective. Rather, from a philosophical perspective.
TPRM programs can improve when an enterprise wide approach is considered and strategic risk focus is taken. Step out of the weeds of scanning for misconfigurations that impact little on the risk posture. Instead focus on the management of the supply chain at a high level across all suppliers. Here are 6 opportunities that can be taken to improve your organisations TPRM:
Include all key risk owners in your TPRM program
Report monthly to management and regularly to the governance boards
Alter contracts to include specific goals for improvements
Assess with a pragmatic forward looking perspective
Obtain real-time updates for changes across the supply chain
Integrate the results of assessments and action planning into the milestones of third party vendor relationship