Shake it Out, Shake it Out
“We’ve seen breaches where the ‘partner effect’ has played a major role, but have you noticed that nobody seems to really know how to manage that risk well,” poses Pete Lindstrom, Vice President of Security Research at IDC.
Third-party information security risk has, as a matter of fact, become a focus point for many organizations’ executive teams and boards of directors. Business executives are aware that some of the mega breaches—like Target, for example--were perpetrated due to insecure third-party systems, and they’re now demanding that security teams provide more information about the problem while allowing security to allocate additional time and investment towards third-party due diligence. Despite this, Lindstrom says, no one seems very clear about what they’re getting in return for all this effort and money. “The best companies are getting hit,” and the industry is not moving towards a demonstrably more secure posture. Infosec Insider asked Lindstrom what he sees in the market as the most effective third-party security techniques: “We have a lot of conventional wisdom on the subject, but the truth is we don’t know yet.”
It’s hard to dance with a devil on your back
Companies continue to build out internal infrastructures, partner connectivity, and cloud service providers partnerships, yet the security industry hasn’t been able to keep pace with methods to secure those connections and tools. Lindstrom notes that “Every company is putting together its own ‘Frankenstein’ questionnaire,” based on industry frameworks and standards like SOC2 and NIST, yet all of the questions and upfront due diligence aren’t getting the job done. It’s not stopping breaches at otherwise secure companies—those with the most up-to-date internal infrastructures, hardened controls, big budgets, and skilled security staff. The SOC2-type checklists are “good for point in time audits,” offers Lindstrom, but what the industry really needs, he posits, is improved real-time monitoring; an assessment or checklist can’t be the bar for invulnerability. Even the most thorough third-party risk assessment checklist or questionnaire is valid only for the period during which assessments are occurring. Once the environment changes—and technology environments change all the time, often without warning—a company needs to start over again with the same checklist (or, hopefully, better). And continuous testing? That’s unrealistic and disruptive.
I can never leave the past behind
Security folks talk a lot about due diligence, and Lindstrom is skeptical: “How much of our current due diligence is sour grapes because we can’t implement the controls in our own environments? How do we expect our partners to be the pinnacle of security when we, ourselves, aren’t there yet?” In actuality, he furthers, we don’t yet know what works in the aggregate. “Sure, it’s easy to see how controls work in a one-off situation, but how does it compile into an effective risk management program?” The hypothesis is real-time monitoring, but Lindstrom isn’t satisfied with good guesses.
IDC recently studied downstream liability, and Lindstrom is currently conducting an ongoing Business Partner IT Risk Management Survey (through MISTI) as a way to better understand what organizations are doing now to reduce third-party risk. Once the results are in, he will then explore how far security needs to go to achieve improved maturity.
The idea behind Lindstrom’s research is that, at some point, the “rubber’s going to meet the road” and security teams will start to be accountable for the allocation of resources when it comes to third-party risk management. Showing that original partner checklist won’t hold water for very long. Organizations are going to very quickly start needing to focus on the areas that deliver the highest return and achieve the lowest risk possible, offers Lindstrom.
It’s always darkest before the dawn
Needless to say, risk will always reflect probability. Achieving a 100% risk-free technology environment is impossible, and security teams need to do a better job explaining why to executives and boards. The level of complexity is too high, and it’s only going to get more convoluted as time passes. However, says Lindstrom in closing, “We should be better about metrics and measurement. We need to see what’s working and what hasn’t. It’s amazing how much in security hasn’t been tested for effectiveness.”