Third Party Risk Management: It’s time for a new approach

Compromises of the digital supply chain can have a devastating impact. This was all too clear in 2020 when adversaries were able to breach SolarWinds and infiltrate multiple other companies and government organisations.

One year later came the infamous Log4j vulnerability announced by the Apache Software Foundation. The remote code execution flaw was quickly exploited by attackers, resulting in warnings from organisations including the?United States Cybersecurity and Infrastructure Security Agency, which instructed firms to patch systems immediately.?

?The damage caused by supply chain vulnerabilities is often wide-reaching. The Log4j threat was so serious because it impacted enterprise applications and embedded systems as well as their sub-components. Affected programmes included Java-based applications Cisco Webex, Minecraft and FileZilla used by many businesses globally.

?Over the next few years, the threat to the supply chain will elevate, according to Gartner’s Top Security and Risk Management Trends for 2022 report. Gartner predicts that by 2025, 45% of organisations worldwide will have experienced attacks on their software supply chains – a three-fold increase from 2021.

?As the digital supply chain risks grows, new mitigation approaches are key, Gartner says. They recommend a more deliberate risk-based vendor/partner segmentation and scoring, as well as highlighting the need for proof of robust security controls and secure best practices.

The supply chain needs to be secure for multiple reasons, including litigation, reliability and regulation. With increasingly sophisticated threats emerging all the time, this makes third party risk management integral for all companies.

As it stands today, it's the bain of many a security team and business. It’s time for a new approach, so how can this be done?

?The challenge with the industry

?Today’s digital ecosystem is increasingly complex to manage, making it essential that businesses understand their own risk. But instead of doing this themselves, organisations have to deal with the siloed third party risk management “cottage industry” involving lengthy questionnaires and box ticking exercises.

?While these try to solve a problem, they have actually compounded it and made it worse. The cyber questionnaire itself is antiquated and causes more problems than it solves.

?The people in an organisation trying to comply with these requests on a regular basis end up being taken away from their day jobs. Here at Pinsent Masons we have created a team to deal specifically with it – but not everyone is so fortunate.

?Businesses will always need to deal with multiple companies, but each will have varying security requirements that suppliers must adhere to. One may state that a password needs to be 15 characters long and expire after 20 days, but another could access reviews every 2 weeks or request password-less, multi-factor authentication only.

Trying to align these multiple requirements, responses and practices across a business that serves thousands in it's supply chain, as clients and as vendors is painful. There's many other posts by my peers to this frustration.

All too often, organisations are focused on ISO standards and security frameworks. While they are a good start, they don’t always keep up to date with modern and real-time ways of protecting the business.

?Industry practice could dictate one way of doing things, but the standard says another. You might try to do the right thing and discover it’s not reflected in the contract. We tried opening up a Vulnerability Disclosure Program in lieu of some more traditional penetration testing controls, but this was seen as an issue by the auditors requirements. They agreed it was a better way of dealing with threats, but could not sign it off as the ‘tick box’ said something different.

?Like cloud is “someone else’s computer”, I believe that third party risk management often becomes a focus on “someone else’s security programme”. Often becoming “do as we say”, rather than “do as we do”. If we were able to rely on our contract schedules for security and good attack surface monitoring – why should we have to do more.

?TPRM (third party risk management) as an industry has sprung out of this requirement, to fully evaluate and assess your supply chain. There is a benefit to streamlining the process, but there may be six different third party risk management vendors that suppliers are using, and their scoring systems aren’t aligned. You could achieve a score of 4/5 with one vendor and 75 out of 100 with another. Let's be honest. It's painful. Last month we received a new 'PB' with over 1800 questions / rows to complete. ?

If a security incident ends up in a court of law, liability is another issue. Firms need a defensible argument and position that they are managing security in the supply chain and insurers require the evidence you are doing it properly. I get that, but come on people. We need to be better.

?Third party risk management: Solving the problem

?So what’s the solution? With vendors unwilling to open up their IP, resolving the problem with third party risk management requires a higher authority such as a standard or framework by a regulatory body, or at government level. Great opportunity here for the new PM to win some support and align with international colleagues.

?I've always loved the National Cyber Security Centre (NCSC) and their useful guidance as a good baseline. Please don't tell the other Security Centre's I have favourites. It’s great advice, however, it is guidance. For now, there needs to be a common assessment of the methodology you apply.

As an idea, you have Gartner citing Cybersecurity Mesh Architecture (CSMA) as a trend for 2022 as cyber security tools become increasingly connected. This architectural approach promotes interoperability between cyber security products for better overall security.

?“By 2024, organisations adopting a cyber security mesh architecture to integrate security tools to work as a collaborative ecosystem will reduce the financial impact of individual security incidents by an average of 90%,” Gartner says.

?What about applying this concept to the supply chain. One common API to rule them all!?

In an ideal world, partnerships between vendors would allow interoperability. This would benefit end users as well as breaking down silos in the industry.

?If an organisation has provided assurances to one defined criteria, framework or vendor, it doesn’t make sense to do the same again with another. This is one of the biggest problems in information and cyber security today. If we put as much effort into raising our own security maturity as chasing down others in the name of TPRM we’d all benefit massively.?

#TPRM #securitymesh #cisomusing #ciso #cybersecurity #thirdparty #risk