How can you strengthen an enterprise third-party risk management program?
We sat down with Sean Cronin, CEO of ProcessUnity, to explore the challenges related to enterprise third-party risk today and in the future.
What are the most unexpected pitfalls for a CISO that wants to strengthen an enterprise third-party risk management program?
Ultimately, you need to understand where your program is today and build a plan to mature it. There are a lot of moving parts in a third-party risk management program. Most companies today are struggling with the work associated with the early phases of a program – the vendor onboarding process, the pre-contract due diligence and then the ongoing monitoring that must occur after a contract is signed. It’s critical to nail these processes first or you’re setting yourself up for failure.
Figure out where you are on the maturity curve first. Do you have an Informal program that’s just getting started? Is your team fighting fires in a reactive mode or have you advanced your processes to a point where you’re more proactive about reducing risk? If you’re already mature and you’re running an optimized program, it’s all about continuous improvement. If you understand the weaknesses and opportunities at your currently maturity level, it makes it easier to put a reasonable plan in place – one that prevents you from trying to take too big of a leap all at once.
Another pitfall is the wildcard that disrupts the proverbial applecart. This year, it’s COVID-19. Organizations are putting their programs on hold because they’re scrambling to reassess their vendors to ensure business continuity during the pandemic. More mature programs build a rapid-response mechanism into their programs, but less mature companies have to drop everything and react as best as possible.
How can an organization transform third-party risk into a competitive advantage?
Before third-party risk management can become a competitive advantage, businesses need to perfect the block-and-tackle basics of third-party risk management. This means having a comprehensive onboarding, due diligence and ongoing monitoring process. Getting those processes effective and efficient allows more time for risk teams to focus on the third-party risk management activities that can drive ROI for the company, including contract management, service-level agreements (SLAs) and performance management.
If your team has more time, they can spend it helping to negotiate better contracts with better financial terms or better services terms – maybe both. Your team will also have access to insights gained during due diligence and ongoing assessments. That data can be used to your advantage during initial negotiations or renewals.
There’s also an opportunity around SLAs. Build a library of SLAs, track where they are being used – on a contract-by-contract or vendor-by-vendor basis and then get your lines-of-business to submit metrics or evidence that results are within acceptable thresholds. Now you have an SLA-enforcement engine. No one wants to collect penalties for a broken promise, but the option is there. You also have the ability to forgo the penalty in exchange for something else – visibility into a product roadmap, input into a new feature, etc. SLAs are an important part of the vendor management process, but many organizations don’t have the time to use them to their advantage.
Finally, managing vendor performance is also a way to get a competitive advantage. If you work with the best vendors, you will get the best service and value. If you can swap out under-performing vendors with better ones over time, your company is going to be in a better place.
Third-party compromise continues to be one of the major drivers of data breaches worldwide. How can organizations make sure that the companies they work with are taking care of their security properly?
Lou Gerstner said it best, “You don’t get what you expect, you get what you inspect.” Hoping that your vendors, suppliers and third parties are just as buttoned-up as your company isn’t enough. The whole point of having a third-party risk program is to systematically assess new and current vendors over time. You need a mixture of self-assessments that the vendors complete and then you need to spot-check your higher-risk vendors with on-site controls assessments – live visits where you ask your vendors to prove they have the proper safeguards in place. It’s work that has to be done – you can’t take their word for it.
Unfortunately, even the best-run third-party risk programs may not be breach-proof – the idea is to prevent as much as possible and make it as hard as possible for a breach to occur.
If you have a strong program in place, you’ll be in a better position to easily understand is what was compromised should a breach occur. For example, in the first hour that a compromise was recognized, it would be great to know exactly what information that vendor owned – patient data, patient records, customer data, customer PII, customer credit cards, etc. A third-party risk management system can help to quickly and easily identify that.
Also, before the breach even happens, the increased due diligence and the periodicity in which organizations continue the evaluation of a third party will continue to drive risk out of that relationship. Ongoing monitoring of a vendor helps organizations better understand what their vendors are and aren’t doing – policies, evidence of specific actions, etc. This develops a dialogue with the vendor to explain why specific actions need to be taken to help drive risk out of both organizations. And that’s how organizations will be able to drive more secure relationships, more secure vendors and more secure providers.
How do you expect risk management strategies to evolve in the next decade? What’s new on the horizon and how can security leaders lay down the groundwork for increased compliance and security?
I was thinking about this a lot while at this year’s RSA Conference. RSAC was very much about the firewalls and the four walls of any corporation, however where security and risk will evolve is an increased importance on third parties. The second an organization puts any data into a third party, that risk is extended and create vulnerabilities that are exponentially worse than what’s within the firewalls or your own four walls.
In third-party risk specifically, we will see more teams incorporate external content into their third-party risk management programs to get a more wholistic view of their vendor population. We will see a rise of utilities and consortiums – where a vendor is assessed once, and multiple organizations can access that assessment. This will allow for a quicker and more streamlined vendor onboarding process. Vendor assessment questionnaires will also continue evolve. Today, we have questionnaires that can self scope based on inherent risk levels and self-score based on a set of preferred responses. This is the start of machine learning and eventually AI for third-party risk.
That’s the next horizon. And it’s exciting because security leaders are seeing the increased importance of that third-party supply chain and vendor ecosystem as part and parcel to their reputational risk and their overall organizational risk.