Imagine this scenario: A CISO leading a cyber security department receives an urgent request from a senior executive. The senior executive is getting ready to close a big deal with a third party and wanted security to sign off on the project.
The cyber security team had very recently evaluated the third party and raised several security ‘red flags’. They then reported it back to the business owner (the senior executive). This same senior executive was the one asking the CISO to do the security sign-off for the vendor without addressing any of the security risks discovered by the team. One of the key risks included poor security for handling PII data by the vendor.
This leads to the source of the problem. The senior executive has a fundamental misunderstanding of the role security should play in assessing third party risks. If we could sum up the role of a security department in one sentence it would be this: The security department is there to help reduce information risks to the company.
The security department can bring to attention the security risk of dealing with third parties, but it is not security’s role to accept the risk on behalf of the business. This is what the executive was after and had failed to understand. It would be the executive accepting the risk of doing business with that third party, not the security team.
Every company has different risks they will accept depending on a range of factors, typically influenced by regulation, age of the company and client portfolio. These all (should) shape the risk appetite and ultimately their maturity level. A rapidly scaling startup has to be willing to accept more risk just for the reason that trying to mitigate many risks would bring the company to a standstill. I’m sure Uber’s management team accepted a great deal of the risks their CISO brought to their attention. Their mission to rapidly scale was more important. They wouldn’t have been that successful otherwise. However, it’s a fine line for the security department to prove it wishes to be seen as a partner with the business, not be an impediment.
An older, more mature business would have a lower risk tolerance. They would most likely not be willing to accept as many risks. Why? Because their aims and goals are different from the Ubers of the world. Their risk tolerance is different. Companies like Intel spring to mind here. Intel has been in business for decades. Their goal isn’t to expand rapidly – they don’t necessarily need to. They will be more focused on resilience and brand protection, both of which require more security controls be put in place.
When assessing a third party vendor risk, it’s important to understand the risk tolerance of the company.
The senior executive in our scenario was in a bind. They knew the concerns highlighted were serious. This is why they didn’t want to sign off on the risks and instead wanted the CISO to do it.
This is a dilemma all organisations will face. Was the company willing to sacrifice its security for the sake of doing a deal with this vendor? This is a great question that needs to be asked. It just shouldn’t be asked of the CISO. It’s a question the Executive Committee needs to answer, not the CISO.
If you do find yourself in this situation, here are a couple of quick wins.
About the author
Principal Consultant, CRMG
Former CTO Skechers (Europe)
Industry Specialism: Rapidly Scaling Startups, Cloud technologies, Retail
Area of Expertise: Cyber Security Executive Management, Technology Risk