According to a recent BlueVoyant, Opinion Matters global study of 1,500 CISOs, CIOs, and CPOs, 29 percent say they have no way of knowing if cyber risk emerges in a third-party vendor; and only 22.5 percent say they monitor their entire supply chain.
Without this key insight into their vendors, it’s no wonder that CISOs find third-party cyber risk management unwieldy. Unknowable risks and unforeseeable attacks on the supply-chain and value-chain continue to shift the risk landscape. Organizations are hungry for visibility into third-party cyber threats. They must intertwine compliance controls with new and evolving regulations that impact these vendors as an integral piece of Cybersecurity Program Management (CPM).
Challenges to IT Compliance and Third-Party Cyber Risk Management
The challenge of IT compliance is ever-growing in its volume and complexity. Modern business is changing rapidly. Not only are standards, regulations, and enforcement changing, but the business is facing rapid change. The CISO’s role is expanding. Their domain now spreads beyond monitoring for risks and threats to include maintaining oversight of high-value assets, policies, training validation and control ratings.
While all this is happening, the IT landscape is constantly developing. Employees spin in and out of a revolving door. Processes are continuously evolving. There is a growing reliance on third parties and outsourcing arrangements that make it increasingly necessary that organizations have agile IT compliance processes to mitigate emerging cyber risk. The CISO must take care that controls extend beyond the organization to third parties and Nth parties so that vulnerabilities don‘t lead to breaches.
These are the most significant challenges facing IT compliance today:
- Third–party relationships and a growing reliance on information and technology
- Detecting, communicating and managing changes to the business and regulatory environment
- Moving away from checkbox compliance focused on point-in-time assessments to continuous compliance monitoring
Organizations apply contracts, SLAs and audits to ensure that vendors mirror their efforts in securing their data. But suppose due diligence is lacking in vetting these parties. In that case, cybercriminals can breach one of those vendors to make their way to the target organization‘s data. The organization must confirm controls across all parties in the supply chain to prevent it.
According to Gartner, 52% of legal and compliance leaders are concerned about third-party cybersecurity risks since COVID-19. CISOs must address unknown and exacerbated risks from the pandemic. The sharp transition to working from home, for example, presents cyber threats for third parties that are inexperienced in securing home offices. Those risks extend to the organizations they serve. Their lack of controls can equate to the organization‘s regulatory sanctions after a security event.
To intensify this threat, a sea change in insidious supply-chain attacks is underway. Most notably, the recent SolarWinds hack identifies the difficulties in gaining visibility into evolving third-party risks. SolarWinds‘ customer FireEye only discovered the breach after cybercriminals stole their cybersecurity tools, and they‘re a cybersecurity vendor! If they can‘t mitigate the risk, how can any vendor establish reliable controls to maintain regulatory compliance?
Aligning Cybersecurity Tools with Risks, Controls and Regulations
Robust third-party cyber risk management is integral to CPM. The right CPM tools will identify third-party cyber risks that can entangle the organization in regulatory fines and sanctions. HIPAA/HITECH, GLBA, Dodd-Frank, and the PCI-DSS ultimately adapt as unknown third-party cyber risks increase in likelihood and severity. The GDPR and CCPA have emerged, elevating privacy risks under the umbrella of third-party cyber risks. CPM tools must assess the changes in cyber risks, reactions by regulators, and any need to reorchestrate controls to keep regulatory forces at bay.
In addition to regulations, there are a growing number of standards and related IT security frameworks, including:
- NIST CSF & Privacy
- NIST 800 series
- Cloud Controls Matrix
- ISO 27001/27002
Third parties present critical cybersecurity risks for every organization. Third-party cyber risk management is a burgeoning component of cybersecurity program management. And as the regulatory landscape evolves, organizations need to ensure that IT compliance across the organization and its relationships aligns with changes throughout the IT landscape or face serious repercussions that could damage its reputation, credibility and viability.
Organizations should assess Cybersecurity Program Management tools to ensure transparency into third-party cyber risks. Appropriate tools track and report on developing risks so the organization can comply with applicable regulations. Adopting a framework is critical. Organizations should determine that they have the right tools to adhere to the regulations that affect their specific business.
Many organizations face the challenge that a proper IT compliance program involves a coordinated effort across the extended enterprise. Today, it’s more important than ever to be effective in identifying where your weaknesses lie – both inside and outside your organization. It’s called Cybersecurity Accountability. And if you don’t have it, your organization is at risk.
To learn How To Enable Cybersecurity Accountability for the Enterprise, download our whitepaper today.
[1.] BlueVoyant, Opinion Matters global research study, September 23, 2020.
[2.] Gartner study, April 24, 2020.