Through our extensive research via our Feats of Strength publication and our Internal Research Department, K logix has successfully collected trends from over 150 distinguished security leaders in a variety of verticals in the security space. In this week's edition of "What CISOs Are Saying," we featured Mehan Kasinath, the VP of Enterprise Information Security at IAC and got his thoughts on the topic of third party risk. Third party risk is best defined as the potential risk that arises when companies rely on outside parties to perform services or actions on their behalf. By allowing these parties to access your data, you may be opening your organization up to additional threats. According to the security leaders we've profiled, there are ways to verify that you are choosing the best partners for your specific risk appetite. When it comes to third parties and ensuring you're picking the right solutions for your organization, here's what security leaders are saying:
When assessing vendors, security professionals must take a risk-based approach and centralize access as much as possible.
As far as overcoming the challenges that come with onboarding vendors, Mehan Kasinath states that one of his tactics is reviewing vendor access policies: he comments, "We also try to centralize access as often as we can and grant it on an as-needed basis. Many of our peers are in similar situations and take similar steps. Your exposure to vendors has a lot to do with your business model. For example, some of our peers have very minimal vendor presence."
IAC also does vendor score reporting, where they evaluate vendors with a security questionnaire to get an idea of that vendor's position in the cyber security industry. Based on the answers they receive, they determine if a longer questionnaire is needed.
Brian Nesgoda, former CISO at Sikorsky, has a similar method when it comes to assessing their third parties. He commented on page 16 of our June 2017 issue that their program "leveraged an advanced vendor management process and built a risk assessment questionnaire for all systems.”
In order to reduce risk and manage the risk appetite of both your security program and your overall business, CISOs and other security professionals must implement a comprehensive process that evaluates and assesses their vendors.
Third party risk management and choosing the right vendor is becoming an increasingly important security function as businesses continue to rapidly transform.
Meg Anderson, CISO at Principal Financial, stated on page 15 of our June 2018 issue that "ever since the Target breach, regulators have been scrutinizing third party risk management practices. And especially with digital transformation, we’re going to use more and more partners. The expansion of API’s has also made this very critical to get right. We need to know more about who we trust with our data and the data of our customers and employees."
As stated by Rich Licato, CISO at ARC, on page 15 of the same June 2018 issue, "It’s an additional risk exposure because now their security posture is your security posture. Depending on the criticality of the vendor, it’s really what you need to figure out."
As digital transformation continues to occur at a rapid pace, ensuring third party vendors are holding themselves to the same security standards as your organization is crucial to reduce risk and retain trust of your customers.
One of the biggest cyber threats security leaders face when it comes to third parties is predicting and adapting to the unknown.
Kasinath states that "There is never a straight answer to the question of assessing third party vendors. Honestly, we can do as much scrutinizing with vendors, but there is always that lingering concern."
He comments, "We rely heavily on vendors to practice security to their best ability: almost all of our subsidiaries are consumer facing and we're constantly combining large volumes of logs and elevated security controls where possible. While assessments and risk-based approaches are critical in order to evaluate a vendor's risk posture, security leaders must be prepared for the unknown and be able to assume the risk of that vendor in accordance with the appetite of their organization.”
In need of third-party risk help? K logix provides assessments around third-party risk. Our independent assessments address challenges around compliance, best practice, business transformation, or whatever is relevant to your organization and goals. Through our assessments, we provide customized workshops and measure against any framework, regulation, certification or industry benchmark. We go beyond providing just results by adding a strategic layer of guidance through prioritized roadmaps with time bands, executive-level presentations, and much more. To learn more about our assessments, drop us a line.
Drop us a line for more information on how we can work together to strengthen your program.
Want more? Read our latest issue of Feats of Strength that highlights Foundational Security and how to get back to the basics in this transformative time.