Security practitioners consistently deal with a slew of issues tied to protecting their organization’s most critical assets. When asked what keeps them up at night, it’s an endless list that features connected devices, shadow IT and making sense of the security and risk organization to board members.
But an increasingly problematic area is tied to third-party business providers connected to their company’s lines of business. From Dairy Queen and Target to the Department of Veteran Affairs and Home Depot, disastrous breaches have occurred involving third-party vendors.
It’s tough to work with them, but it’s even more difficult to operate without them. Enterprises lacking a business partner risk management program in place are in a losing battle. While there are many things to consider, we’ve highlighted four ways to ensure you’re strengthening your third-party risk management program.
There’s a shift occurring in the approach many security managers take today. Many practitioners have realized that focusing too much on their ecosystem's perimeter takes their focus away from activity surrounding business critical assets. Yes, outside miscreants will always look to break in, but it’s much better to be prepared to take action once a breach occurs. Security practitioners must be familiar with the activity that surrounds the systems and applications that house the most valuable data within the company. The security and risk organization needs to be increasingly familiar with the location of those assets and who within, or in this case outside, of the organization can interact with them. Depending on the partnership, third-parties will have to interact with some of those assets to an extent. It’s important to stay on top of that activity and constantly monitor it to ensure nothing fishy is occurring.
Your business partner contracts are a critical component of your third-party risk management program. Be sure to have the right details included in these agreements, because they will reflect how your data is treated once you sign the dotted line. Doing so holds partners accountable and sets a level of expectation as it relates to their security posture when working with your organization. The more critical the systems and applications tied to this partnership are, the more details that need to be included. If you currently have an agreement in place that doesn’t feature the necessary security requirements, it may be best to use your renewal data to revisit the contract. At times, it’s necessary to bring the executive team together to ensure that the right measures are in place, and communicate if any risks outweigh the rewards.
Every organization should have and use a vendor risk assessment checklist when vetting new partnerships. IT risk management consultant Jerod Brennen shares that these assessments can feature hundreds of questions, depending on the complexity of the business. Naturally, contingent on the vendor, not all questions may apply. He suggests running through these questions and prioritizing them, so the most relevant ones that apply to the partnership are featured first. The top three categories he recommends featuring first include access management, vulnerability management, and security controls.
Given that security and risk departments have limited budgets and resources, it can be quite challenging to manage a large set of third-party vendors with a small team. Ranking these partnerships in order of importance as they relate to the activity and interaction they have with critical systems and applications within the business would help prioritize duties. The more involvement business partners have with sensitive data, the more attention they should receive from the security and risk organization.