Third-Party Risk Management: Why Good Intent Matters More Than Paperwork
Prof. Dan Haagman
Pen Testing Expert | CEO - Chaleit | Hon. Professor of Practice | International Conference Chair | Aus CISO Advisory Board | Co-founder of Cyber firms NotSoSecure & 7Safe (both acquired) | Commercial Heli & Plane Pilot
Technology has made us highly dependent on the supply chain – third parties and the parties to those parties (what we call fourth parties).
The challenge? Companies are exposed because these services often lack visibility or are opaque at best. They don't necessarily know who or what is managing their stuff, and every service they buy has other services that exacerbate the problem.
Frankly, third-party risk management needs a great deal of maturing, but I also think it needs a different attitude.?
In a recent conversation with Deepak Gami , Cyber Security Risk Leader, we explored this critical issue in depth.
As Deepak points out, "The biggest challenge is the maturity levels across various organisations. And the starting point is never zero."
Large organisations often have quite mature third-party risk management processes, which can be very onerous, but I question their efficacy. Don't get me wrong, we've got to ask the basics. It is very important to have due diligence programmes, know our clients, and look at their services, legal constraints, jurisdictional issues, and DPAs. But they still kind of operate on goodwill.?
In my experience, follow-up is rare. In the last year, despite doing loads of these assessments, I've seen only one follow-up – and I wouldn't say the outcome demonstrated good intent. There was no next-level scrutiny. If we're going to have these processes, let's make them fit for purpose and drive quality and standards.
It's a two-way street, really. It's very easy for a client, especially a large one, to abuse the process – maybe there's a power gradient, or maybe it's just the procurement side of that organisation. As a supplier, that can be very daunting. But equally, vendors need to hold themselves accountable.
Deepak highlighted something interesting about the legal process: "I've seen vendors that go, 'Okay, I will sign up to these terms because I want the business.' And on the flip side, I've seen vendors that go through terms with a fine-tooth comb." But both extremes ignore what happens after go-live – how do we make that relationship work? How do we drive value and transparency?
Here's an ironic example: I've seen an incredibly well-known provider of IT and professional services, including SOC-related services, with really good tech and processes. They have everything down pat: certifications, international compliance, legals, data protection, the works. But their actual cyber security service delivery was appalling. Multi-million pound investment year on year, and we validated that the service wasn't fit for purpose.
One of the most valuable insights from my discussion with Deepak was about privileged access. He explains:
"Three years ago, I recognised the implications of upcoming legislation, particularly concerning privileged access.? A key factor in numerous data breaches over the years, whether caused internally or by a vendor, has been the misuse or compromise of such access."
As legislation in the US, UK, Europe, and Australia sharpens, we need to get on top of our third-party risk management processes. It's definitely a journey, it's not easy, and it's a dance. It goes beyond the standard compliance checkboxes and legal requirements – it needs real investment and a cyber security partnership.
These are just some of the insights from my conversation with Deepak Gami. If you're interested in learning more about building effective third-party relationships, managing privileged access, and creating genuine partnerships, I encourage you to watch our full discussion.
And I'd love to hear your thoughts:? How do you make third-party risk management work in practice, beyond the paperwork? How do you build genuine partnerships with your vendors while managing risk?
Let's connect if you want to enhance your third-party risk management processes and explore how Chaleit can help your organisation. You can reach out to me directly to discuss your specific challenges or contact our brilliant team.
When we interview for jobs, we usually ask how w ,ould you hack an enterprise. The best answers include 3rd Parties but unfortunately they are rare as. Thanks for the insights gents.
Fortune 50/500 Cybersecurity Executive/Executive and Cybersecurity Advisor/vCISO
3 天前Prof. Dan Haagman, there are a few critical points that you and Deepak Gami discussed. The first point I would emphasize is the treatment of third parties as strategic partners as opposed to vendors. The vendor label connotes a transactional relationship alike putting currency in a vending machine and getting a candy bar. Based on complexity of the relationship, dependency on the 3rd party as a critical supplier and other criteria vital to your organization, a portion of your third parties have criticality and high risk if the relationship is damaged or interrupted. These third parties should be addressed as strategic partners that require strong relationships to be in place. The second point I would throw out there is third party risk assessment is as vital and important to the third party as it s to your organization when a strategic partnership is in place. Ensuring that your strategic partners understand how your program can add value to them in making them as a supplier more attracted to other customers in your vertical, and other verticals that are highly regulated. Being a value added partner goes way beyond the transaction. The paperwork is the initial formality that starts the really meaningful dialogue.
Wendy Liu
Cyber Security Risk Leader | Information Security | Delivering Security Uplift | People Leadership | Experienced Third Party Risk Management Professional | CISM | ISO 27001 | NIST
6 天前Prof. Dan Haagman A great article on the importance of third-party risk management - now more than ever. Companies must take greater 'Accountability' and build 'Trust' with their vendors, while vendors, in turn, need to be more 'Transparent'. Together, they should drive a true 'Partnership' approach that goes beyond products, services, and revenue.
I save companies from evil cyber villains | Advocate for kindness in tech | The hype person YOU need in your life | High ENERGY speaker!!! | Avid beard grower
6 天前Your AMAZING posts are like a hang-gliding hamster soaring through the sky!!!! A true wild ride of inspiration, leaving us filled with awe inspiring wonderment!!!!! ????????????????????????????????