Although most organizations understand its importance, it can be difficult to start building and maintaining a scalable third-party risk management program. We reached out to Bob Wilkinson, Founder & CEO of Cyber Marathons Solutions, who has deep expertise in the third-party risk management (TPRM) space and is consulted by numerous large enterprises on this topic. Read on to learn his tips and best practices.
In a nutshell, what is a scalable program?
A scalable program is one where you, on a continuous basis, mitigate the risk that arises from third-party and subcontractor relationships based on a business decision to outsource.
How to start?
It is important to remember that the purpose of a third party risk management program is to understand where risk exists arising from the use of third parties and to remediate this risk to your organization. When establishing a program, focusing on ‘quick wins’ that allow you to demonstrate progress is an essential building block for program success.
Understand your inventory of third-parties. Start with the most important ones from a risk perspective. Those would be the companies that you exchange confidential and restricted information with, and the ones you grant access to your information and to your various platforms and infrastructure. Ask these companies who their third-parties are as well. Realize that building the full third party inventory will take an extended amount of time.
It will be useful to ask yourself these questions:
- Who do you share non-public data with?
- Who do you grant access to data and company infrastructure?
- Who develops software for your critical business applications and how mature is their software development process from a security perspective?
What are other important steps?
Put in place a data security appendix for new contracts with third parties being onboarded that provides for three critical things:
- Right to audit, which gives you the ability to perform assessments
- Notification of any potential breach when it occurs
- Commitment to resolve security issues or gaps that are identified.
These steps will assist you in having a process that is efficient in assessing and mitigating the risk that arises from the use of third-parties. You could spend a lot of time and money trying to build the perfect program and not do anything to mitigate the risk that comes from outsourcing. This part of the conversation sometimes gets lost because people focus on making sure they have all the components of the program in place before they begin to address the risk that exists.
How to begin addressing risk?
Defining clear goals early on will result in quick wins.
The program is not meant to assess, but to assess and mitigate the risk associated with third-party outsourcing relationships. However, many programs assess risk and stop. They don’t hold the third-party accountable for mitigation of the issues that were identified, so they don’t achieve the key goal of risk mitigation.Bob Wilkinson, Founder & CEO of Cyber Marathons Solutions
A scalable program should involve the ability to continuously monitor the controls that are in place at your third-party. So it might be helpful to ask:
- What are the new vulnerabilities that were discovered and need to be patched timely by the third-party?
- What are the changes in the third-party’s network configuration that may result in an open threat actor to exploit?
- Has any new functionality added to a third-party service or product been properly tested and secured to ensure there are no vulnerabilities associated with it?
Start with monitoring your most critical third parties to identify security issues that may exist which have the potential to be exploited. Run a limited pilot and don’t try to boil the ocean by performing security scanning of a large number of your third-parties initially. Build out a process that allows you to take action on findings and mitigate them. You can scale it later, and also discover unknown fourth-party / subcontractor relationships.
What about risk management across the whole supply chain?
When you start looking at risk in your supply chain, you have to divide your third-parties into two groups:
- The new third-parties that you’re bringing into your company
- The existing third-parties that you’ve already onboarded
This is the concept that I call “stopping the bleeding” that occurs when you continue to bring new companies on board and not properly address security, both from a risk assessment perspective and from a legal or contractual perspective.
How does this division between “new” and “existing” enable escalation?
The benefit is that new third-parties can be the starting point to build a scalable program. You start with the new, and then, when you have a program that is scalable and more mature, you go on to address existing third-parties through your new process.
So when a contract comes up for renewal, for example, you can address some of the contractual aspects that may not have initially been addressed prior to having a data security appendix for the contract in place.
Is building a TPRM program resource intensive?
It depends on the size and complexity of the organization and its third-party ecosystem, but everyone can start small and scale to meet organization needs. Different industries and different companies within industries have different risk profiles and use outsourcing to different extents, and some take greater risks than others.
One of the opportunities that companies have is to move to a continuous monitoring of their third-parties and away from a “point in time” assessment (say once a year). The greater use of technology means that companies will be less reliant on people to perform ‘point in time’ assessments in the future and they’ll have a more accurate and timely understanding of the risk that exists within their environment.Bob Wilkinson, Founder & CEO of Cyber Marathons Solutions
So the key concept here is “continuous”…
Exactly. Your initial critical insights may come from the first ‘point in time’ assessment. After that, if you have a framework that allows you to continuously monitor the controls in place and the changes in the relationship with the third-party, it’s much more effective than doing an annual assessment, which over time yields less insight and is static in nature, while expensive to perform. This would tell you where you stand at a point in time, but how can you guarantee that form a security perspective you are OK for the remaining 364 days of the year?
The real value comes in understanding on an ongoing basis the security posture of the third-party.
Bob can be reached by email at email@example.com or mobile at 862-686-1210 and welcomes any and all comments to improve the dialogue regarding third-party risk management.
To learn how our ThirdPartyTrust platform can help you scale your TPRM program, request a demo now: