The Rambo Architecture and Third Party Risk
When I first started at Netflix, we’d sometimes describe our system as the Rambo Architecture. As John Ciancutti wrote - ”Each system has to be able to succeed, no matter what, even all on its own. We’re designing each distributed system to expect and tolerate failure from other systems on which it depends.” This thinking is really at the heart of disciplines like resilience engineering and chaos engineering.?
And if you zoom out, is the overall enterprise really any different? You’re relying on dozens, hundreds, or thousands of third parties to make your organization run. SaaS vendors, business process outsourcers, cloud service providers. And yet, when it comes to making our organizations resilient to the inevitable security failures in this ecosystem, we spend our time sending around questionnaires and squinting at third party risk ratings to try and predict where the problems will occur.?
I get why third party security risk management is how it is. We can easily track how many questionnaires we send out and review. Third party risk is an amazingly complex problem and it makes us feel good to be able to do something. Unfortunately, activity doesn’t equal progress or risk management.?
So what should you do? Ultimately, I look at third party risk management as a classic operational security challenge that benefits from a pretty straightforward approach - you need to aggregate and operationalize distributed context. No AI or blockchain needed.??
Aggregating and Operationalizing Distributed Context
In modern enterprises, many teams are involved in the selection and onboarding of third parties. Procurement, finance, legal, and IT are the usual suspects, though in modern organizations you’ll often see business teams (e.g. marketing, customer service) selecting vendors and procuring solutions directly.?
The context your security team needs to manage third party risk is distributed amongst these teams. You want to seek answers to questions such as:
领英推荐
The nice thing is that the answers to these questions are inside your organization. When you’ve gathered this context and operationalized it, you know your key vendors and partners, who to contact when issues arise, where your systems, applications, and data are exposed, and whether you’re covered legally if and when something happens. And you don't want these answers buried in spreadsheets. To operationalize this data, it needs to be online and available to other systems (e.g. asset inventory, incident response). And - like anything inventory-related, it’s an ongoing process that you’ll need to enrich and improve over time.?
On the provider side, I do think it’s important and valuable for vendors and service providers to be transparent and public with their security programs. What compliance regimes (e.g. SOC2, ISO, HIPAA) are you aligned with/audited against, what security incidents have you dealt with, etc. Make this information available and accessible to customers and prospects and seek increasing transparency and automation over time.?
The next time you have the urge to send an email blast to your vendors asking “are you affected by SolarWinds, log4j, CircleCI, <vuln of the week>?” take a beat. When you want to send out your shiny new custom 300 question security survey to a non-critical vendor, hit the pause button.?
Can you confidently predict when and where security issues are going to occur in your own environment?? Probably not, even though you have full knowledge of the environments you’re defending. Yet we think we can take an outside-in look at our vendors programs’ and use that incomplete, unvalidated, and likely out of date information as a crystal ball??
I hope sometime in the not too distant future we look back at the current era of finger pointing and questionnaire swapping and recognize it’s little more than another example of security theater. Until then, there’s nothing stopping you from thinking resilience first and borrowing some tips from Rambo .?
CIA Veteran Turned CISO Mastermind | Team8's CISO in Residence | Keynote Speaker on Cyber/AI CISO Mentor | Schedule a call??
3 个月I wonder if we as an industry could agree to common contract terms for cyber vendors so we can all expedite the contract negotiation process. Example most fortune 500 companies agree the standard is XYZ for indemnity
Holistic innovation | People and Technology in harmony via Adapt Together??, Team Topologies, and Continuous Stewardship.
3 个月It's sobering to think that the article by John Ciancutti was published in 2010 and yet most large organisations have still to grok the importance of what I now call an Ecosystem of Quasi-Independent Providers (or EQIP). This from the article sums it up perfectly: "Each system has to be able to succeed, no matter what, even all on its own. We’re designing each distributed system to expect and tolerate failure from other systems on which it depends. If our recommendations system is down, we degrade the quality of our responses to our customers, but we still respond. We’ll show popular titles instead of personalized picks. If our search system is intolerably slow, streaming should still work perfectly fine." The discipline of keeping separate things separate is so crucial. Most times, things that should be separate become tangled with other things, crippling the speed of changes and increasing risk. Thank you for sharing the insights, Jason Chan ??
Director of Architecture ◆ Led 35+ Executives ◆ Delivered $20M+ Projects at Fortune 500 Companies, i.e. Intel, Sun, Texas Utilities
3 个月It’s not what happens to us, but how we react to things that defines us.
Governance, Risk, Compliance (GRC) Executive, Building IPO-Proof GRC
3 个月Nicely put! I wound also add that there now some promising startups who are able to offer real-time visibility into risks from vendors when it comes to the kind of access they have, the types of data being shared with these vendors, the geographic locations where that data is being sent, etc. We really have no excuse to still use point-in-time questionnaire assessments for evaluate vendor risk that do nothing other than waste both our time and the vendor’s time…
Strategic IT-Business Interface Specialist | Microsoft Cloud Technologies Advocate | Cloud Computing, Enterprise Architecture
3 个月Third-party risk management should center on aggregating and operationalizing distributed context? I agree. Acknowledge the complexity of managing third-party risks and the need for a comprehensive understanding of these relationships.?