*This blog highlights key points taken from the CRMG podcast ‘How to Manage Third Party Risk When you have Thousands of Suppliers.’ Listen to the full podcast here.
In today’s hyper-connected digital age, it’s not unusual for medium to large-sized companies to have hundreds, or even thousands, of third-party suppliers.
This can range from product suppliers, to billing processors, to cloud providers, and a variety of different services.
This large volume of suppliers can pose a challenge for Chief Security Information Officers (CISO) to properly manage risk, especially when personal or confidential data is shared.
Many businesses think that if they outsource the service, they automatically outsource the risk too. This simply isn’t true.
The procurement and security departments need to work together to:
We’ve identified 5 steps to help companies mitigate the risks associated with third party suppliers.
According to Nick Frost, Director of CRMG, all too often security providers get distracted by the main security challenge – i.e. the immediate risk to the primary business. To mitigate supplier risk, they need to gain a deeper understanding of the business processes, the services the business uses and how data is handled across the supply chain.
This can be a complex process, especially when there are multiple levels of suppliers. CISOs need to know whether the risk lies in a tier 1, 2 or even tier 3 suppliers. To do this, a full structural outline needs to be drawn up that charts the flow of data and information all the way through the various supply chains.
As companies and suppliers become increasingly more interconnected through network sharing, cloud storage, API’s, etc., the need for security oversight becomes even more critical.
CISOs need to nail down exactly what type of data is being shared and where it is going. For instance, if Personally Identifiable Information (PII) or confidential business data is being shared, it can create a huge risk if left unmanaged.
CISOs can be overwhelmed with the amount of information that comes in from suppliers. A system needs to be devised to assess the risks posed by suppliers, especially when handling sensitive data. Red flags need to be raised when suppliers handling the riskiest data don’t meet certain levels.
When there are 1000’s of suppliers in the supply chain, CISOs need to hone-in on the priority ones, i.e. the suppliers that can cause the most disruption to operations or pose the greatest data risk. Andrew Wilson, a Principal Consultant at CRMG, suggests a triage approach, with a checklist of security requirements drawn up for each critical supplier.
The best way to mitigate risk from the outset is to make sure that contracts reflect the security issues at hand. It’s a good idea for CISOs to establish close relationships with the legal and procurement departments.
For instance, the procurement team can say “Here, we have this MSA (Master services agreement), this is the type of product or service on offer.” CISOs can then do their risk assessment based on that information, then sit down with procurement and highlight which controls are missing, which aren’t necessary, etc.
It’s important to remember that when the legal team goes into discussions with a potential supplier, there will be a contract negotiation. There will be certain clauses that the supplier will want to redline out. It’s important that the legal and procurement team know exactly which are the “nice to have” clauses (i.e. can be sacrificed) and which are the non-negotiables – the must-have clauses to ensure that the required security level is met.
This avoids the situation where CISOs are brought in too late, i.e. after the contract is already in place, and they realise that the vendor has a poor security posture. It’s far better to realise this before the product or service is purchased and contracts drawn up.
Services provided by suppliers can easily change over time. This means that the type of data being shared may change too. Often, business people aren’t aware of the consequences that adding different data types can have.
For example, cloud providers are great for storing general data and information, but if you start to store confidential data, PII data, information about mergers and acquisitions, etc. the risk profile changes drastically. The original contract may not address this risk. Therefore, periodic risk profile assessments are a good idea.
Organisations also need to consider exit strategies, or “divorce arrangements”. When companies finally part ways with a long-term supplier, they may hold a lot of sensitive data. CISOs need to find a way to mitigate this risk. They need to come up with a way of staying on good terms with the supplier and managing a secure transfer of data to the new party. Again, a checklist approach can work here, to ensure that all potential risk is carefully managed.
About the author
Industry Specialism: Oil & Gas, Professional Services
Area of Expertise: Cyber Security Executive Management, Information Risk