How to handle third-party security risk management
In this Help Net Security interview, Demi Ben-Ari, CTO at Panorays, talks about third-party security risk management and the repercussions of a third-party breach. He also discusses the Panorays platform that automates, accelerates and scales customers’ third-party security evaluation and management process.
Why is third-party security risk management so important?
In today’s hyper-connected world, organizations are highly dependent on third-party vendors to efficiently run their business. On the flip side, vendors that share your systems present security risks that can have serious legal, financial and business implications for your organization. Therefore, it is crucial to efficiently and effectively manage third-party security risk in your company.
To do so, you must have comprehensive, in-depth visibility into and control of third-party security risk. This requires you to assess and regularly monitor the flow of data within your systems and your vendors’ systems, and be aware of security issues and how to mitigate them. Unknown, incomplete or an inaccurate view of supplier risk leaves you vulnerable and can result in a security breach.
Adherence to security and privacy regulations and standards such as GDPR, CCPA, NYDFS and others require your vendors’ compliance. Ensuring your suppliers’ security aligns with the relevant regulations and standards, as well as with your company’s security policies, is no small feat.
The better handle you have on your third-party security evaluation and management process, the quicker and easier it will be for you to manage, mitigate and remediate risk, reduce the chances of breaches, ensure vendor compliance, improve your security posture and keep your business running smoothly.
We have seen devastating effects of third-party risk lately. What advice would you give to CISOs that aim to minimize risk as much as possible?
There are three proactive measures you can take today to help you minimize third-party or digital supply chain risk.
1. Build cyber resilience and recovery – You must understand your assets and map your vendors, which include external third-party services and tools that process or hold data. Automating the management of your third parties can streamline and accelerate this long and tedious process.
2. Identify important assets – Prioritize your assets by creating an inventory that includes your physical infrastructure and your virtual infrastructure (your vendors). Once you’ve identified and prioritized your assets, you need to create a system to monitor all of these assets so you have visibility into their dynamic and changing landscape.
3. Reduce third- & fourth-party risk – Each third party has its own infrastructure and its own third parties, which are your fourth parties. This makes it incumbent on you to also understand fourth-party risk for parties handling your data.
What could be the most notable repercussions of a third-party breach?
Just dealing with a vendor breach is stressful enough, but unfortunately the aftermath of a third-party security breach doesn’t end there.
First of all, they’re expensive! According to Deloitte, a vendor security breach can cost you between $0.5 to $1 billion—or even more. A security breach often results in loss of sensitive information, which may lead to lawsuits, regulatory fines and reputational damage to the company.
For any or all of these reasons, companies may not be able to ever recover from the devastation of a third-party security breach, which is why I cannot emphasize enough the importance of being proactive about your vendor security program.
What are the challenges organizations could expect when implementing third-party security risk management?
This is by no means an exhaustive list, but I’ll touch on some of the biggest frustrations that I hear about from people seeking my professional advice.
- Not knowing or having an inaccurate view of vendor risk leaves you vulnerable, so be sure that your third-party risk program is comprehensive and includes both dynamic security questionnaires with external attack surface assessments and business context. This will give you a quick and accurate view of supplier and fourth-party cyber risk.
- Manual questionnaires are laborious and make the process overwhelming. The time and effort it takes to do it right is stressful and often results in an incomplete or inaccurate view of supplier risk.
- In order to understand your vendors’ security posture, a vendor attack surface analysis is necessary, but many companies lack the resources to do this quickly and effectively.
- Not all risk is the same, but companies don’t always have an easy way to contextualize risk according to the business relationship. This may lead to an inaccurate portrayal of risk and wasted effort remediating an incorrectly overweighted risk.
- Underestimating the risk your vendors’ employees introduce to your company’s security posture is a huge blind spot and cyber gap for companies.
What kind of solutions does Panorays offer and what are the qualities of a successful third-party security risk management solution?
What’s unique about Panorays is that we offer an all-in-one, automated, comprehensive and easy-to-use third-party security platform that manages the whole process from inherent to residual risk, remediation and ongoing monitoring.
We are different in that we combine automated, dynamic security questionnaires with external attack surface assessments and business context to provide organizations with a rapid, accurate view of supplier cyber risk.
Panorays is the only platform that automates, accelerates and scales customers’ third-party security evaluation and management process, enabling easy collaboration and communication between companies and suppliers, resulting in efficient and effective risk remediation in alignment with a company’s security policies and risk appetite.