Analyst firm Gartner recently published their 2020 Board of Directors Survey, and in it they predicted that 40% of corporate boards will have a dedicated cybersecurity committee by 2025, up from a surprisingly low 10% of boards today. Driving this growth is the increased risk that comes from an expanded digital footprint as organizations accelerate their digital transformations as a result of the pandemic.
The report goes on to say that cybersecurity-related risks ranked second to regulatory compliance risk in importance to boards of directors. However, considering that 63% of breaches (like SolarWinds) are attributed to third parties, and supply chain failures have increasingly widespread impacts, corporate boards would be wise to ensure that their increased focus on cybersecurity issues includes the risk of doing business with third parties.
Here are 3 considerations security leaders should make as they expand the scope of their cybersecurity programs to incorporate third-party risk management.
Improve third-party pre-contract due diligence
Assessing the risks that third parties bring to your business shouldn’t begin once you have signed the contract. Instead, security and procurement teams should be reviewing known risks in potential vendors during the sourcing and selection stage of the vendor lifecycle. Unfortunately, though, only 31% of companies conduct thorough pre-contract due diligence, indicating there is a long way to go to overcome this obstacle. As security teams (and for that matter their procurement partners) examine how to improve pre-contract due diligence, consider the following best practices:
- Look for libraries of completed risk profiles to accelerate vendor comparisons. Risk profiles are typically completed by vendors using a standard and industry-accepted questionnaire (making vendor comparisons easier), and then shared within a network which companies can then check out if they plan to evaluate them. Since the questionnaires tend to be completed annually, it’s important to augment them with real-time cybersecurity risk scores to capture important updates.
- Extend pre-contract analysis beyond traditional cybersecurity domains. This might seem counterintuitive to cybersecurity professionals, but there are plenty of indicators that a company could be a cybersecurity risk if they display certain business or financial performance trends. For example, a regulatory filing against a company might indicate lax cybersecurity controls. Or, missed revenue goals could indicate personnel cuts (which can cause insider risks).
- Once a decision has been made on a vendor and they are onboarded, implement inherent risk scoring so you have a picture of untreated and can tier those suppliers accordingly and the set appropriate levels of diligence going forward.
Assess and monitor third parties continuously
Third-party risk management can’t be a one-and-done task. It needs to be a continuous process built into the risk DNA of the enterprise. However, most organizations can get easily tripped up with performing vendor risk assessments, since half are still using manual spreadsheets to manage their vendors, and a further 34% say it takes over a month to complete an assessment of a top-tier vendor. This traditional static annual assessment approach must give way to a more dynamic process that incorporates real-time risk metrics. Agility should be the order of the day in assessing third parties. To achieve that, security leaders should consider:
- Comprehensive options to assess vendors. A single rigid questionnaire likely won’t meet the requirements of assessing a diverse supplier base. That’s why it’s important to leverage multiple questionnaire types that address myriad compliance requirements, or one central automated questionnaire that flexibly maps results to any number of regulations. This will enable security teams to meet multiple internal audit and external reporting requirements much faster than with their current manual methods.
- Expanding the scope of assessments to include areas such as brand, operational, environmental and social governance (ESG), reputational, and financial information. Cybersecurity risks rightly take precedence in assessing third parties but working in other domains on a regular basis provides a much more comprehensive picture of vendors and demonstrates that your enterprise takes risk seriously.
- Correlating assessment results against real-time cyber monitoring. A lot can happen in between assessments. And while it’s easy enough to leverage multiple different tools to gain a bird’s eye view of vendor risk, the real value lies when you can combine and normalize results to validate controls reported on by vendors in their assessments. Once determined, you can then trigger additional actions – such as sending a supplementary assessment – to further investigate findings with your third party. This continuous loop provides much more complete risk treatment.
Unify siloed teams through third-party KPI and KRI reporting
Effectively reducing vendor risk requires an understanding of how vendors are performing against expectations – both security and performance-related. However, tracking cybersecurity metrics and vendor performance typically happens in siloes between the security and procurement teams, a common stumbling block. Unifying these teams using a single source of the truth will deliver the visibility necessary to manage and track security performance across the vendor lifecycle. Consider the following reporting best practices:
- Enable vendors to submit updates proactively. Event notifications related to data breaches, for example, will enable the team to dynamically adjust vendor risk scores based on the results and can inform regular KRI and incident response discussions.
- Provide a centralized dashboard that includes vendor contract status, contact information, risk and compliance status, and performance metrics to enable the team to track resolution of issues throughout the remediation process to show risk reduction progress over time and report against KPIs.
- Deliver stakeholder-specific reporting. If a few clicks you should be able to produce reporting for everyone from an IT security analyst assessing a vendor to a board member evaluating the overall risk landscape. For security teams that means having the flexibility to report on outliers warranting further investigation or score changes. For the board, that means visualizing compliance and risk status against regulatory and industry frameworks.
As more and more corporate boards establish dedicated cybersecurity committees, it will be essential to ensure that third-party risk is a focus of that team. To raise third-party risk visibility, it’s recommended that security teams conduct more thorough pre-contract due diligence to head off risks before they impact the business; assess and monitor in real-time to stay on top of risks; and unify disparate teams through reporting.