Why Your Entire Company Should Help Build Your Third-Party Risk Management Program
Third-party vendor breaches happen constantly. The numbers say it all — 98% of organizations conduct business with a third party that has suffered a breach. And in the first two months of 2023, there have already been at least 13 reported data breaches, including major companies such as:
From phishing emails to leaked credentials, a bad actor can breach a company in many ways. But how many third-party breaches are caused by simple misunderstandings? It’s likely more than you think.
Often, misunderstandings and miscommunication between security teams and the rest of the organization can make it difficult to implement strong TPRM practices — leaving the business vulnerable to attacks.
To build a truly effective TPRM program, your entire organization should have some level of involvement — from enterprise risk managers to the board of directors, all the way to first-week interns.
What is a third-party cyber risk program?
A third-party cyber risk program is a comprehensive and continuous method to assess third-party vendor risk. An effective program will help you determine how a potential attack on your third-party vendors could affect your company and make better decisions about which vendors you use. It also provides a continuous, constant view on your vendors’ cyber posture and health.
Overlooked roadblocks to building a TPRM program
Ownership confusion, cross-department miscommunication, and plausible deniability are the most common, but often overlooked, challenges to building a TPRM program. And if these misunderstandings across the organization continue, the chance of a detrimental cyber attack increases daily.
There’s a widespread confusion about who owns third-party cyber risk management within an organization. This confusion tends to become a game of hot potato — with most employees saying, “I don’t own it, so I don’t care.”
Organizations must pay more attention to this ownership confusion because leadership teams often underestimate how third-party cyber risk can impact the business. If no one owns the TPRM program, there’s no way to communicate to leadership teams why a vendor could be risky.
For example: When issues with a long-time vendor raise the security team’s attention, the business owner could dismiss them due to misunderstanding the impact a vulnerable vendor could have on the business. Once the owner ignores those concerns, it’s only a matter of time until they become substantial damage (data breach, supply chain disruptions, loss of revenue, and customer trust).
At Black Kite, we’ve even heard people say, “I’ve never seen a TPRM program have an impact on security.” Just because it hasn’t happened yet doesn’t mean you’re immune to a third-party cyber attack.
When you hire a CEO or a CISO, you look for specific skills and qualifications to support a specific part of the business. But because they are such different roles, CEOs and CISOs have other priorities for the company — along with the tendency to think and speak using different vocabulary and industry jargon. As a result, it can be challenging for CEOs and CISOs to get on the same page about risk, causing minor miscommunications that could grow to be dangerous.
For example: More often than not, CEOs think in terms of company revenue. A CEO will understand the potential risk level of a third-party vendor in the context of revenue loss. But let’s suppose the risk is presented to a CEO without the context of revenue. In that case, they may not understand the full magnitude of risk in a way that helps them make good security decisions.
The same goes for CISOs. CISOs tend to think in terms of security and technical jargon. But it’s not easy for a CISO to come up with the monetary value of a potential third-party breach off the top of their head. So if a CISO tries to communicate third-party risk to a CEO in technical language, they may not convince the CEO to sign off on their concerns.
When miscommunication is this easy between leadership roles, you need to triple-check that everyone is on the same page to handle an attack properly.
Because the risk of a third-party breach originates outside the organization, it often becomes a case of, “We can’t completely prevent it, so we’re better off not putting any unnecessary effort into it.” Leaders often feel it’s easier to stay in the dark about the danger of a third-party breach because what’s the point of trying to prevent it if they can’t have complete control over it? For example: plausible deniability could stem from the fact that most organizations don’t have the power to tell a big vendor how they should conduct their security practices. If you want to use a service from a business like Microsoft, Google, Oracle, or Amazon, you either take what they offer (from a security perspective) or find another vendor. But finding another vendor is often not an option, as these companies provide comprehensive, industry-standard services that are difficult to duplicate. So if you can’t control your third party’s security practices, why bother trying at all, right? (Spoiler: WRONG).
Who on your security team should be involved in your TPRM program?
When building your TPRM program, involvement from your organization’s entire security team is crucial to ensuring success. To help you get started, here are three leadership roles that should be involved in your program:
- Supply chain managers
- Enterprise risk managers
CISOs need a broad understanding of security teams across the organization, operations, and TPRM best practices because cybersecurity teams tend to work in silos. A comprehensive understanding will help overcome these silos because when a CISO knows each team’s processes and operations, the CISO can ensure that the teams are compliant with state regulations and are not overlapping in projects.
Take, for example, the new regulations in the European Union. The Digital Operational Resilience Act (DORA) provides rules for financial services companies regarding information and communication technology (ICT)-related incidents.
Without an understanding of how every security team operates either internally or externally, it’s impossible to ensure that a business is 100% compliant. CISOs of financial services companies will need a comprehensive TPRM program to meet DORA’s new compliance standards.
The CISO should spearhead the development and implementation of the TPRM program, as a member of the C-suite has reach, credibility, and authority across the organization.
Supply Chain Managers
As more companies employ third parties for data storage and operations management, supply chain managers must understand how one vendor has the potential to impact the entire supply chain.
The SolarWinds attack is a great example of how a cyber attack heavily disrupts the supply chain. In this breach, attackers deployed malicious code into SolarWinds’ Orion IT software. The attackers achieved this by targeting a third party with access to SolarWinds’ systems instead of hacking their networks directly. This supply chain incident affected over 18,000 SolarWinds’ customers — including the U.S. government.
If SolarWinds’ supply chain managers better understood how a third-party cyber attack could disrupt their supply chain beforehand, they could have:
- Put extra controls in place (i.e. a tool to continuously monitor cyber risk) to protect customer information.
- Do their due diligence when researching new vendors to use.
- Flag certain areas of the supply chain that may be more vulnerable.
Supply chain managers should participate in the TPRM program in the role of consultant — to provide their expertise on supply chain risk and how it affects the business.
Enterprise Risk Managers
Enterprise risk managers should be involved in the TPRM program because they are responsible for monitoring and analyzing all risks within an organization’s business units and reporting them to the board.
For example, suppose you’re a risk manager for a university. In that case, you’re responsible for ensuring that the school’s information, data, and cybersecurity policies comply with the Higher Education Community Vendor Assessment Tool (HECVAT).
HECVAT is a questionnaire created by the Higher Education Information Security Council (HEISC) Shared Assessments Working Group for higher education groups to measure vendor risk. To ensure that your university is HECVAT compliant, you need to understand the security practices of your third-party vendors and what kind of risks they pose to avoid hefty fines.
Enterprise risk managers should participate in a TPRM program in a consulting role similar to supply chain managers — to provide their expertise on enterprise risk and how it affects the organization as a whole.
In the end, the more business leaders understand the potential impact of an attack, the better they can prepare for one. Vendor risk management should be a collaborative effort across multiple leaders, as a third-party attack can impact every team in the organization.
Who else should be involved?
From the board of directors to your first-week interns, full education across the business will ensure basic security hygiene and build a strong foundation for your TPRM program.
Your board of directors must understand third-party cyber risks to make better decisions for the business with TPRM in mind. Equipped with a deep knowledge of how a third-party breach can affect the business, the board can be a champion for security from the top down.
From a tenured HR manager to an intern, everyone should practice good security hygiene because anyone can open the door to an attacker. In fact, phishing is one of the top reasons for data breaches – with the most significant breaches costing an average of almost $5 million. Additionally, an organization can reduce its risk of a breach by 70% with high-level security awareness training.
It’s everyone’s responsibility to keep the organization secure, whether it’s by implementing two-factor authentication, spotting phishing emails, or regularly bringing security concerns to attention.
Enable collaboration with one tool
Black Kite’s third-party risk platform accurately measures and communicates the potential impact a vendor could have on your company for both technical and non-technical executives.
Black Kite assesses risk in three ways: technical, compliance, and financial. As we mentioned, assessing risk financially makes it easy to communicate potential danger with every executive at your company.
Additionally, the Black Kite platform provides access to technical risk data in the form of digestible findings — providing a way to educate the rest of the organization on risk.
With an easy-to-understand snapshot of your supply chain risk by visualizing defensible intelligence in the form of a letter grade — you can inform the entire organization on how to prevent interruption and data loss by using our reliable data to develop informed policies around all emerging threats.
To learn more about building an effective third-party cyber risk program, check out our blog What is a Third-Party Risk Assessment, and Why Do They Matter?