If it hadn’t been already, the risk posed by third parties has become top-of-mind for many of us in recent weeks. Both organizations and individuals have given more than usual levels of thought to questions about the risks carried by those around us — including the suppliers, partners, providers, and others who make up the third-party ecosystem in which every company exists.
Evaluating an organization’s risk means, at some level, understanding the risk of all the third parties on which the organization’s products, services, and operations are based. And making that evaluation useful means putting the results into quantitative metrics.
“The industry more and more is saying that risk management has to be quantitative,” says Nick Sanna, CEO of RiskLens. “If you want to sit at a table with the business and have a meaningful discussion on the impact that actions in security have, it’s got to be quantitative.”
There are, of course, difficulties with accurately establishing this third-party risk. One of the most important factors that can have an impact on complexity is understanding just how many layers of relationships the security team has to examine. It’s a given that a company has to evaluate the risks of their suppliers, but what about their suppliers? And theirs? How many levels down does the responsibility to evaluate extend?
“Where we see our customers really going to is they look at and examine their third party. They’re also identifying the fourth-party dependencies, the vendor to the vendor,” says Kelly White, CEO of RiskRecon.
While he sees companies that would like to go through more layers, White says that the reality of the modern IT ecosystem means that relationships start circling back on one another, leading to a tangled web of dependencies that can be almost impossible to unravel.
“What we’ve learned is that companies, organizations, have many more third parties touching their networks and their data than you could ever imagine,” says Bob Maley, CSO at Normshield. “It’s hundreds and thousands.”
Maley then asks a critical question: “How do you wrap your arms around that and focus your resources on the areas that might need some attention?”
Nail down the third-party policy of the third party
Ann* is an executive in the risk management group at a healthcare company. [*Editor’s Note: To protect her identity and that of her company, Ann’s real name and certain identifying details have been changed.] “Typically, we try to put it to our third party — the first point down the chain,” Ann says. “What we would do in that scenario is assess the third party to see if they have a similar program in place to what we’re using to assess them. And that’s the expectation.”
It’s an expectation that her organization codifies in a contract as often as possible. In the best case, Ann explains, each company in the ecosystem will have a similar third-party risk program in place and each will reinforce the protection offered by all the others.
Getting the various organizations to agree on what risk and its management mean is made easier when there is a standard model to follow. “It’s a little bit of Wild West right now,” Sanna says in describing the world of cyber risk management. “Everybody’s making up their own model and FAIR has emerged as the standard model for assessing risk.”
Sanna says that many companies are only beginning to understand how to evaluate and quantify risk. The first stage in the process, he says, is being able to articulate risk. “What are my top risks and areas in in numeric terms, in financial terms? Just understand that,” he says.
Being able to articulate the risk is critical in communicating concerns about risk and its management with other companies in the third-party ecosystem and finding benefit in mutual protection. That protection is critical in a common situation; the organization doesn’t really know the entirety of their third-party ecosystem.
Look beyond cyber risk teams for help
One of the important points executives made regarding third-party risk, is that risk management requires thinking about more than just cybersecurity. One of the things made clear by the coronavirus pandemic is that supply chain and third-party service availability are just as critical as the question of malware and breach resistance.
Fortunately, the groups responsible for each of those can work together to manage total risk.
“Organizations have different groups inside that can help each other in unexpected ways through these types of scenarios,” says White. “Cybersecurity has data that can help the supply chain or the third-party management team in ways that you wouldn’t expect.”
And that unexpected impact can extend across market boundaries.
“Many people think risk really pertains largely to finance and health care. I think I would tell them, if you’re outside of one of those industries, it still matters to you,” says Ann. “There have been plenty of things that have happened in the past, not counting COVID-19 or anything like that, that really illustrate the need for a strong third-party risk program across all industries.”
Ann emphasizes that the risk program has to be flexible and able to be modified to suit the changing challenges of the marketplace. “Just when we think we have everything covered – we have known cyber risk covered or financial risk or other things – – there’s geopolitical risk that’s in here, there’s an infectious disease risk that we had never really thought of, or hurricanes,” she says.
“It’s a continually evolving process that has to look at new things; you can’t outsource the risk,” she says. “Once the risk is there, it may change into new forms. And you have to tackle those as they come.”
Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio