Managing Third-Party Risks: CISOs' Success StrategiesA Deep Dive Into How CISOs Tackle Tough Challenges
As more organizations rely on third parties for various services, managing the security risks involved is becoming a bigger challenge.
Among the toughest third-party risk management challenges are:
- Keeping track of the long list of outsourcers an organization uses and making sure they're assessed for security;
- Taking steps to minimize the amount of sensitive data that's shared with vendors - and making sure that data is adequately protected;
- Holding vendors to a uniform standard for security.
"For most organizations, there is still a long way to go in strengthening governance when it comes to vendor management," says Jagdeep Singh, CISO at InstaRem, a Singapore-based fintech company. "We need to look at the broader risk posture that vendors bring in ... which will determine the sort of due diligence you want to carry out."
Following are three case studies that illustrate how organizations around the world are tackling key vendor risk management challenges.
Case Study 1: Keeping Track of Vendors
Challenge: Keeping track of all the vendors used by all the departments within an organization can be a daunting task, especially if the organization has shifted to a decentralized approach for vendor onboarding.
"Earlier, we had a centralized approach where all the onboarding was done centrally," says Prakash Kumar Ranjan, IT security manager at CNH Industrial, a Netherlands-based capital goods company. "However, this delayed the business process and hence was done away with. Though this has resulted in faster and better vendor onboarding, now no single person or department has control or information on all vendors, resulting in a lack of visibility and lack of control."
Solution: To address this problem, Ranjan implemented a vendor security program. "This not only brings in visibility of vendors but also gives autonomy to departments to onboard vendors," Ranjan says.
Under the vendor security program, before any vendor handling critical personal information is onboarded, the department entering the contract shares details with the security team about the vendor and the services it offers. Other documents, such as a PCI assessment and details on subcontractors, also are reviewed by the security team. If concerns are identified, the team reaches out to the vendor, Ranjan says.
"It is important for the security team to understand the complete scope of services being offered by the vendor and also the existing security controls," he adds.
"These assessments are not one time but need to be carried out periodically by the security team based on the nature of service provided by vendors."
Roadblocks: Challenges can arise when an organization uses the same vendor to provide different services for different departments, Ranjan says. That's because risks could vary based on the services provided.
"For example, for a vendor providing a critical solution like CBS [core banking solution], the department needs to have escrow arrangements for the source code to be made with the vendor because if the vendor goes bankrupt or dissolves the business, the organization will suffer a huge loss as its major critical activity will be impacted."
Lesson Learned: Ranjan advises businesses to make sure the security team is involved early when outsourcing is being considered. "The security team also needs to understand that they should align with business goals and get involved from the start of vendor onboarding so that security is by design," he says.
Case Study 2: Ensuring Sensitive Data Is Protected
Challenge: Organizations often share very sensitive information with vendors hired to provide services. And making sure that data is protected can prove challenging.
"Even if contractually we transfer the risk to vendors, organizations across the spectrum are made responsible by regulators in the event of a breach," says Singh, the CISO at InstaRem. Even if a vendor is responsible for breach, the organization that hired the vendor generally bears the blame, he points out.
Solution: Organizations must carefully assess the data access rights each of its vendors actually needs, Singh says.
In addition, he says, "we need to understand what vendors do with the information shared with them and what the information life cycle is when it is handed over to a vendor."
Singh suggests that one should define timelines of projects and makes sure that data is destroyed once the project is over.
"Ultimately, it all boils down to vendor governance. The security team needs to drive governance and work closely with third parties to know how information is handled and ensure the right to audit whenever it's required," Singh says. "These steps help me understand that the baseline level of security of my vendor meets my expectations."
Although most of these factors can be covered in outsourcing contracts, Singh says, it's also important to have regular conversations with vendors to develop a better understanding of how they are protecting sensitive information.
Roadblocks: Some vendors may be reluctant to provide a great deal of detail on their data security procedures, Singh says. "If I think from a vendor's point of view, I can understand their discomfort. They handle multiple clients, and each one of us demanding process details can be a daunting task for them."
Lesson Learned: Singh says it's important to ask vendors only the most important security questions and not overwhelm them with demands.
"You can't follow up on everything with vendors. They will get frustrated," he says. "A lot depends on the criticality of a project and the criticality of information being handled."
Case Study 3: Security Assessments for Third Parties
Challenge: John Houston, CISO at UPMC (the University of Pittsburgh Medical Center), says that most conventional methods for assessing security capabilities of vendors don't work.
"We all send our third parties our security questionnaires. But, frankly, these questionnaires are of very limited value," he says. "They are time consuming for both the organization as well as the third party."
Solution: To address this issue, the health system in Pennsylvania requires its vendors to earn certification that they're compliant with the HITRUST security framework. The framework sizes up whether an organization complies with a variety of regulations and guidelines.
In addition, UPMC has joined with several other U.S. healthcare providers that are taking the same approach to form the Third Party Risk Management Council, hoping that more organizations will follow their lead in demanding that vendors meet high standards (see: CISO Council to Address Vendor Risk Management Challenges ).
Roadblocks: Some vendors push back when UPMC demands they achieve HITRUST certification, Houston acknowledges. "Such assessments exposes vendors for the limitations their security program have," he says. "As a result, we demand changes in their security programs. Rarely do they like it."
Lesson Learned: Houston says it's important for organizations to have high security expectations for their vendors. "As an industry we all must stick to our guns," he says. "Otherwise, the third parties can dictate the level of information security that they provide. Unfortunately, there is significant variation and maturity between our third parties' information security programs."