The Intersection of Third-Party Risk and Cybersecurity Program Management

Third Party Cyber Risk

According to a recent BlueVoyant, Opinion Matters global study of 1,500 CISOs, CIOs, and CPOs, 29 percent say they have no way of knowing if cyber risk emerges in a third-party vendor; and only 22.5 percent say they monitor their entire supply chain. 

Without this key insight into their vendors, it’s no wonder that CISOs find third-party cyber risk management unwieldy. Unknowable risks and unforeseeable attacks on the supply-chain and value-chain continue to shift the risk landscape. Organizations are hungry for visibility into third-party cyber threats. They must intertwine compliance controls with new and evolving regulations that impact these vendors as an integral piece of Cybersecurity Program Management (CPM).  

Challenges to IT Compliance and Third-Party Cyber Risk Management 

The challenge of IT compliance is ever-growing in its volume and complexity. Modern business is changing rapidly. Not only are standards, regulations, and enforcement changing, but the business is facing rapid change. The CISO’s role is expanding. Their domain now spreads beyond monitoring for risks and threats to include maintaining oversight of high-value assets, policies, training validation and control ratings.  

While all this is happening, the IT landscape is constantly developingEmployees spin in and out of a revolving door. Processes are continuously evolving. There is a growing reliance on third parties and outsourcing arrangements that make it increasingly necessary that organizations have agile IT compliance processes to mitigate emerging cyber risk. The CISO must take care that controls extend beyond the organization to third parties and Nth parties so that vulnerabilities donlead to breaches 

These are the most significanchallenges facing IT compliance today: 

  • Thirdparty relationships and a growing reliance on information and technology 
  • Detecting, communicating and managing changes to the business and regulatory environment 
  • Moving away from checkbox compliance focused on point-in-time assessments to continuous compliance monitoring 

Organizations apply contracts, SLAs and audits to ensure that vendors mirror their efforts in securing their dataBut suppose due diligence is lacking in vetting these parties. In that case, cybercriminals can breach one of those vendors to make their way to the target organizationdata. The organization must confirm controls across all parties in the supply chain to prevent it. 

According to Gartner, 52% of legal and compliance leaders are concerned about third-party cybersecurity risks since COVID-19. CISOs must address unknown and exacerbated risks from the pandemicThe sharp transition to working from home, for example, presents cyber threats for third parties that are inexperienced in securing home offices. Those risks extend to the organizations they serve. Their lack of controls can equate to the organizationregulatory sanctions after a security event. 

To intensify this threat, a sea change in insidious supply-chain attacks is underway. Most notably, the recent SolarWinds hack identifies the difficulties in gaining visibility into evolving third-party risks. SolarWinds customer FireEye only discovered the breach after cybercriminals stole their cybersecurity tools, and theyre a cybersecurity vendor! If they canmitigate the risk, how can any vendor establish reliable controls to maintain regulatory compliance? 

Aligning Cybersecurity Tools with Risks, Controls and Regulations 

Robust third-party cyber risk management is integral to CPM. The right CPM tools will identify third-party cyber risks that can entangle the organization in regulatory fines and sanctionsHIPAA/HITECH, GLBA, Dodd-Frank, and the PCI-DSS ultimately adapt as unknown third-party cyber risks increase in likelihood and severity. The GDPR and CCPA have emerged, elevating privacy risks under the umbrella of third-party cyber risksCPM tools must assess the changes in cyber risks, reactions by regulators, and any need to reorchestrate controls to keep regulatory forces at bay. 

In addition to regulations, there are a growing number of standards and related IT security frameworks, including: 

  • NIST CSF & Privacy  
  • NIST 800 series
  • Cloud Controls Matrix 
  • FAIR 
  • COBIT 
  • ISO 27001/27002 

Third parties present critical cybersecurity risks for every organization. Third-party cyber risk management is a burgeoning component of cybersecurity program management. And as the regulatory landscape evolves, organizations need to ensure that IT compliance across the organization and its relationships aligns with changes throughout the IT landscape or face serious repercussions that could damage its reputation, credibility and viability.  

Organizations should assess Cybersecurity Program Management tools to ensure transparency into third-party cyber risks. Appropriate tools track and report on developing risks so the organization can comply with applicable regulations. Adopting a framework is critical. Organizations should determine that they have the right tools to adhere to the regulations that affect their specific business. 

Many organizations face the challenge that a proper IT compliance program involves a coordinated effort across the extended enterpriseToday, it’s more important than ever to be effective in identifying where your weaknesses lie – both inside and outside your organization. It’s called Cybersecurity Accountability. And if you don’t have it, your organization is at risk. 

To learn How To Enable Cybersecurity Accountability for the Enterprise, download our whitepaper today 

[Source list] 

[1.] BlueVoyant, Opinion Matters global research study, September 23, 2020.    

[2.] Gartner study, April 24, 2020.