Prevalent recently announced the findings of
its 2022 Third-Party
Risk Management Study, which demonstrates that third-party risk
management (TPRM) is at a crossroads-organizations can continue with existing
insufficient pathways, or improve TPRM processes to get on the path to success.
To learn more about the study's findings,
including current trends, challenges and initiatives impacting TPRM
practitioners worldwide, VMblog spoke with Brad Hibbert, COO and CSO at
Prevalent.
++
VMblog: What are the
key findings-both surprising and expected-of the study?
Brad Hibbert: I was expecting
executives and the board to have more visibility into third-party risk,
especially considering all the high-profile third-party and supply chain breaches
that happened in the last year. Think: Kaseya, Toyota, and SolarWinds.
What surprised me
though was that despite all the executive attention on third parties, so many security
and risk management teams (45%) are still reliant on spreadsheets to report on
their third-party risks - and that number increased over last year! All that
manual work must make it so complex to respond quickly when there is a
third-party data breach.
Speaking of
third-party data breaches, another surprise was the number of companies that
take either a passive wait-and-see approach or don't really have a third-party
incident response program in place - 31% in all. I don't know how organizations
can justify that kind of approach when the consequences are so apparent.
VMblog: TPRM programs
are increasingly top-of-mind for organizations, and yet TPRM is at a
crossroads. Why is this?
Hibbert: We're seeing an
inflection point in third-party risk management. There was a time when TPRM was
focused solely on IT vendor risks. And this was natural because of the attack
surface that third parties present to your own systems and data. But I would
argue that third-party threats to businesses have evolved into physical ones in
addition to the logical ones.
As an example, the
Russian invasion of Ukraine. If you had a supplier or vendor in Ukraine, what
kind of assurance do you have that they will a) still meet their obligations,
or b) have a work around? That's a supplier business resilience issue and not
an IT security issue. And, do you have a picture of your suppliers' suppliers
and whether they're run by a sanctioned individual? This is what we mean by
crossroads - the old way of TPRM only tells half the story, and companies need
to evolve and look all types of risks holistically - IT and non-IT alike.
Let me illustrate
further using some "but" statements. There's the current path, and a better
path. For example, companies are paying more attention to non-IT security
risks, but not enough. Third-party risk might be getting more strategic, but
manual methods hold them back. Companies are concerned about third-party
incidents, but their toolsets to detect and manage them are outdated. And,
companies are assessing risks at early stages in their lifecycle, but not much
in the later stages.
VMblog: What is the
most common TPRM blindspot for organizations?
Hibbert: How a company
responds to a third-party data breach or other security incident. In the first question,
we talked about 31% of companies either taking a passive approach to incident
response, or not even having a third-party incident response program in place
at all. The study also showed that it takes about 2.5 weeks from when an
organization learns of a third-party incident to when they receive confirmation
of remediation. A lot can happen in that time period.
Instead, we recommend
taking a more proactive approach that includes consistent IT security controls
audits and continuous cybersecurity monitoring for validation as a preventative
measure. The more you know earlier, the faster you'll achieve a favorable
resolution. You'll never stop every incident, but if you can shorten your mean
time to detection and response, it mitigates the negative impacts.
VMblog: Knowing your
blindspots is one thing; addressing them effectively is another. What is
the main sticking point organizations face when considering an upgrade to
TPRM programs?
Hibbert: I'm a firm believe
that there are two reasons behind every decision: will and resources. Sometimes
organizations have the will to change, but can't muster the resources. Or, they
have the resources, but lack the will.
Companies in the
former category need to seek help building their programs foundationally through
best practices, or maybe offloading the work to expert services providers to
manage their programs on their behalf to account for limited resources.
Companies in the
latter category need help prioritizing third-party risk automation and that
typically happens when a big third-party breach threatens the company. The
board gets involved and suddenly you have the will and the resources.
VMblog: 40% of
organizations are paying more attention to non-IT security risks. How do
you define "paying more attention" and what are the main reasons the
majority of organizations continue to overlook non-IT risks?
Hibbert: We asked
organizations what risk types they actively assess or monitor. 40% of companies
indicated that they track risks like fraud, contractual risks, compliance and
ethics, and reputational and financial risks - all of them in the "non-IT"
bucket. Others, like modern slavery, anti-bribery and corruption, anti-money
laundering, and ESG not so much.
Companies overlook
non-IT risks because they can't quantify the risk like you can an IT security
exposure, and, frankly, they may not be required to track non-IT risks.
However, a company's tune will typically change when one of their suppliers is
caught up in some sort of legal action, negative regulatory action, or bad
press, or when there is a mandate to report on risks such as ESG or slavery in their
extended supply chain. Being reactive to those risks puts you in a bad
position.
VMblog: Less than
half of organizations track risk in later stages of the vendor lifecycle.
Why does tracking decrease as the relationship lifecycle matures,
especially during offboarding and termination stages, and what are the
ramifications of this?
Hibbert: It comes down to
visibility - there is a lot of visibility into new vendors and suppliers at the
beginning of the relationship. You have to ensure the contract has the right
terms to protect the company. You have to make sure the new vendor can deliver
and they can pay their bills. You need to make sure they don't introduce new
cyber risks into your environment. You have to make sure there isn't legal
action against them or a bad regulatory finding. You have to check their
reputation. And so on.
Once established and
you've got a good working relationship with the vendor or supplier, maybe
you're only looking at risk annually during a contract renewal. Is there
someone watching whether SLAs are being met? Is that information widely shared
to inform contract renewal decisions?
With offboarding, if
termination procedures aren't followed and you haven't validated that the
vendor destroyed your customer data, or terminated physical or logical access
to systems and data you could end up with a regulatory finding and associated
fines levied against you if that data is compromised.
VMblog: Associated
risks with third-party vendors and suppliers are inevitable. What does
this mean for the state of the supply chain going forward, especially in
light of already continuous cyber disruptions?
Hibbert: There will always be
risk, and you will never get to zero, so it's all about adjusting your risk
appetite accordingly. Your risk appetite should be different for every third
party you work with. This happens through a tiering and categorization
exercise. For example, the folks that supply wiring to your final product may
present mostly limited risk to your company due to the ability to swap out
wiring suppliers pretty easily. But the folks hosting your data center or
supplying the essential widget to your product should be high-risk because
switching costs are so high and disruption is inevitable. The bottom line is
that you can't see every supplier through the same risk lens; you have to
bucket your suppliers and treat them accordingly.
VMblog: For
organizations wanting to get on the path to TPRM success, what areas of
improvement are most strategic?
Hibbert: First, you have to
look at third-party risk holistically - everything from contractual, reputational
and financial risk to cyber risk and ESG-type risks. That complete picture is
much more contextual. Next, and this goes along with the first point, look at
uniting your toolsets. You've got a handful of tools tracking and managing
risks of multiple types in your organization, and they're likely operating in
siloes anyway. Tying them together will help you come audit time.
Third, you have to
get more proactive about third-party incident response. By proactive I mean
have a plan, people, processes and tools in place and continually test them so
that when the next SolarWinds happens you can quickly find out which of your
third parties is using that solution and what their remediation plans are. The
board is going to ask, and waiting a couple weeks for an answer won't sit well
with them. Trust me on that one.
Finally, you have to
close the loop on the third-party lifecycle and have processes and tools in
place to continuously monitor vendor performance and offboarding tasks. Don't
get comfortable with an existing vendor relationship because they haven't been
breached.
VMblog: This has
been great! How can VMblog readers get their hands on the full study to
learn more?
Hibbert: You can go to www.prevalent.net/content-library/2022-third-party-risk-management-study/
to download the full eBook and get a neat infographic that summarizes the key
points.
##