The Challenges in Assessing Third-Party Cybersecurity Risk – A case study

Imagine this scenario: A CISO leading a cybersecurity department receives an urgent request from a senior executive.  The senior executive is getting ready to close a big deal with a third party and wanted security to sign off on the project.

The cybersecurity team had very recently evaluated the third party and raised several security ‘red flags’.  They then reported it back to the business owner (the senior executive). This same senior executive was the one asking the CISO to do the security sign-off for the vendor without addressing any of the security risks discovered by the team.  One of the key risks included poor security for handling PII data by the vendor.

This leads to the source of the problem.  The senior executive has a fundamental misunderstanding of the role security should play in assessing third party risks.  If we could sum up the role of a security department in one sentence it would be this: The security department is there to help reduce information risks to the company.

The security department can bring to attention the security risk of dealing with third parties, but it is not security’s role to accept the risk on behalf of the business.  This is what the executive was after and had failed to understand. It would be the executive accepting the risk of doing business with that third party, not the security team.

Every company has different risks they will accept depending on a range of factors, typically influenced by regulation, age of the company and client portfolio. These all (should) shape the risk appetite and ultimately their maturity level.  A rapidly scaling startup has to be willing to accept more risk just for the reason that trying to mitigate many risks would bring the company to a standstill. I’m sure Uber’s management team accepted a great deal of the risks their CISO brought to their attention. Their mission to rapidly scale was more important. They wouldn’t have been that successful otherwise.   However, it’s a fine line for the security department to prove it wishes to be seen as a partner with the business, not be an impediment.

An older, more mature business would have a lower risk tolerance.  They would most likely not be willing to accept as many risks. Why? Because their aims and goals are different from the Ubers of the world.  Their risk tolerance is different. Companies like Intel spring to mind here. Intel has been in business for decades. Their goal isn’t to expand rapidly – they don’t necessarily need to.  They will be more focused on resilience and brand protection, both of which require more security controls be put in place.

When assessing a third party vendor risk, it’s important to understand the risk tolerance of the company.

The senior executive in our scenario was in a bind.  They knew the concerns highlighted were serious.  This is why they didn’t want to sign off on the risks and instead wanted the CISO to do it.

This is a dilemma all organisations will face.  Was the company willing to sacrifice its security for the sake of doing a deal with this vendor?  This is a great question that needs to be asked. It just shouldn’t be asked of the CISO. It’s a question the Executive Committee needs to answer, not the CISO.

If you do find yourself in this situation, here are a couple of quick wins.

  1. Review your information security policies and validate that they adequately cover the need for identifying and reporting information risk associated with third party suppliers. Ensure it is explicitly stated that the business owner or Executive Committee has to accept the risks identified.
  2. Make sure the information risks you have identified are communicated, in business language, to the Executive Committee.
  3. For example, let’s say the risks your security team identified were linked to a third party that lacked the necessary security controls for handling PII data. You wouldn’t want to say:  “Dealing with this vendor could result in data loss.”  The better way to communicate this would be:  “There is a risk our company will experience significant brand reputational damage and loss of revenue as a result of accepting risks associated with this vendor”.
  4. Rate the criticality of your suppliers. Your organisation will have a vast number of suppliers that support key business operations. However, it is unlikely you will have resources to assess all these suppliers, AND, many are unlikely to need to be reviewed. What is needed is an approach that helps identify the MOST CRITICAL suppliers and focus on these as a priority given a finite amount of resource available.

For more information on how to approach third-party risk and conduct risk assessments, get in touch here.

 

About the author

Todd Wade
Principal Consultant, CRMG
Former CTO Skechers (Europe)
Industry Specialism: Rapidly Scaling Startups, Cloud technologies, Retail
Area of Expertise: Cyber Security Executive Management, Technology Risk