What's Working With Third-Party Risk Management?

What's Working With Third-Party Risk Management?

We know third-party risk management is a pain. If nobody likes the universally agreed upon solutions like questionnaires, what are we doing that's improving the situation?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Steve Zalewski. Our sponsored guest is Nicholas M. , CISO, Scrut Automation .

Segment and test

There are two components to understanding third-party risk. You first need to understand their value to your operations. Then you need to assess their security posture. For Mike Wilkes of The Security Agency LLC , he summarized this by, saying, "Continuous monitoring with different profiles for different vendors. Tier 1 means if they go down, you go down (or are significantly degraded)." This monitoring doesn’t need to be based on assessments, you can use your own security toolkit to get a better understanding of risk. “Conduct some active reconnaissance and, based on the vendor's criticality and relationship, perform penetration testing to identify potential vulnerabilities,” said Viresh Garg, CISSP, CISM, CISA, CCSP of Broadcom .

Focus on you

The most frustrating aspect of third-party risk management is the amount of things outside your control. Don’t fight against that. "The longer I’m in this field, the more I realize third-party risk management is everywhere except what you control, and the only thing you control is you… Plan on that system/service/thing being unavailable. Build your systems and processes with resiliency in mind and control what you can control," said Jonathan Waldrop , CISO of The Weather Company

What you can control is the information you share with third parties. Andrew Townley of Archistry Incorporated found this an easy way to improve your risk management, saying, "If you're not prepared for the impact of disclosure, don't share it with a third party. Even with ‘trickle-down’ or ‘viral’ clauses in the contracts, it's nth-party risk management from the get-go. Most of the reason this is a problem is because nobody really understands the potential impact of the exposure, and therefore it doesn't factor into the original sharing decision in the first place."

Embrace the risk lifecycle

A given third-party risk isn’t a one-off event. It carries a long tail that goes beyond technical considerations. "The control should encompass the entire lifecycle, from onboarding to offboarding new third parties. A comprehensive analysis and mitigation plan should include a recovery process for each vendor, as the threats they represent and the mitigation measures required might differ,” said Marie-Eve Girard of M.E Cie . This lifecycle needs to start at the contract level, so there’s no confusion from the third-party. Tony Gonzalez, CRISC, CDPSE, QTE of Innervision Services LLC spelled this out, saying, "An effective TPRM process needs to incorporate third-party commitment through contracts that clearly state what is expected from the third party, annual review processes that require evidence of continuous improvement and state of controls, and ownership and engagement of the third-party relationship to govern and manage the process."

Not all vendors are the same

In our effort to systematize third-party risk management, we risk painting every vendor with the same brush. A one-size-fits-all approach is doomed to fail.  "I would love to see a more risk-driven approach. A SaaS vendor shouldn’t receive the same questionnaire as a vendor whose product you’ll be hosting on-prem. Focus deeper analysis towards your areas of greatest risk, and reallocate time towards other efforts that contribute to improving the business,” said Joseph Longo of GitLab .

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now. Thanks to Scrut Automation .

Huge thanks to our sponsor, Scrut Automation


Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.


Beating MFA Fatigue and AI-Driven Attacks with DirectDefense

Sponsored content

One of the big trends with threat actors over the past year is a rise in multi-factor authentication (MFA) attacks. Attackers have turned to increased sophistication using a variety of techniques. Some of these are tried and true favorites like MFA fatigue and SIM swapping. But Jim Broome , president and CTO, DirectDefense points out that increasingly threat actors turn to generative AI tools to help sell phishing schemes. Organizations can't stand still with MFA. These solutions need regular auditing to look for weak spots in process and technology.

Watch the video.

Huge thanks to our sponsor, DirectDefense



I’m an Executive Recruiter for security professionals. Ask Me Anything.

Starting this month, CISO Series will be hosting a monthly "Ask Me Anything" (AMA) discussion right here on . The first one began this past Sunday, August 25th, 2024 and runs to August 30th, 2024, and it is titled, “I’m an Executive Recruiter for security professionals. Ask Me Anything.”


Join us Friday, 09-06-24, for “Hacking Tabletop Exercises”

Please join us on Friday September 6, 2024 for Super Cyber Friday.

Our topic of discussion will be “Hacking Tabletop Exercises: An hour of critical thinking about enhancing incident response readiness.”

Joining me for this discussion will be DJ Schleen , distinguished security architect, Yahoo and Christina S. , CIO, KIK Consumer Products .

It all starts at 1 PM ET/10 AM PT and then we roll over to our meetup portion on Discord. It’s a great chance to connect with the cybersecurity community.

REGISTER


Jump in on these conversations

"Where to go from SOC Analyst?" (More here)

"What is the significance of AI in the world of Cybersecurity?" (More here)

"How beneficial are sites like HackTheBox" (More here)


Coming up in the weeks ahead on Super Cyber Friday we have:

  • [08-30-24] No show
  • [09-06-24] Hacking Tabletop Exercises
  • [09-13-24] Hacking Leadership Skills

Save your spot and register for them all now!


Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.




Andrew Townley

Advisor to organizations who want to build effective, value-driven security programs that are integrated with business delivery | Speaker | Founder | Innovator | Thought Leader

3mo

David Spark, Steve Zalewski and Nicholas M., thanks for the reference to my comment and making me part of this conversation. I really appreciate it, and I enjoyed the extra commentary and thoughts.

Neil Saltman

Technology & Cyber Advocate I Author I Sales Leader I Mentor I Lifelong Learner I Sales @ Ahead

3mo

Nicholas M. is just another all star added to your cast! Always enjoy the shows!

Tony Gonzalez, CRISC, CDPSE, QTE

Fortune 50/500 Cybersecurity Executive/Executive and Cybersecurity Advisor/vCISO

3mo

David Spark, Steve Zalewski and Nicholas M., great discussion weaving all the different perspectives of TPRM together on this episode.

Mauricio Ortiz, CISA

Great dad | Inspired Risk Management and Security | Cybersecurity | AI Governance | Data Science & Analytics My posts and comments are my personal views and perspectives but not those of my employer

3mo

Great perspectives and ideas as always. Indeed this area is a challenge and a headache for every company regardless of the size and vendor management maturity

To view or add a comment, sign in

More articles by David Spark

Insights from the community

Others also viewed

Explore topics