Cyber Risk Management - Trust but verify
A key activity in setting up any new relationship with a third party is to assess any cyber risks to decide whether it is safe to proceed. A cyber risk assessment also ensures that both parties can agree on terms and conditions in any agreements related to managing cybersecurity risks.
In the world of cyber risk management, this means getting some proof that sound security management practices are in place.
Let’s ask lots of questions
The use of questionnaires has been a traditional method used to assess the security management practices of third parties. While this may seem like a great approach there are quite a few pitfalls. Here are some of the common issues: -
The person responding may not have the skills to comprehend the questions and provide correct answers. This is especially true if the third party’s security practices are immature.
The person responding to the questions may not be truthful. The responder is motivated to win new business and knows that telling the truth may jeopardise the deal.
The answers might be factual, but only at that moment. Unfortunately, organisations often take a ‘set and forget’ approach when setting up a new relationship with third parties and fail to do periodic checks to discover whether the risks have changed.
The scope of the questions is flawed. Questionnaires are often designed to be all-encompassing so they can be applied consistently across all third-party assessments. It’s not uncommon to see over 100 questions. Many may not be relevant to the scope of the relationship. E.g. The relationship might be a low-risk relationship with limited data sharing and integration.
The questionnaire may be overly intrusive. It’s not uncommon to see questions that ask you to disclose sensitive information that you are not willing to share. E.g. Copies of internal procedures and other valuable intellectual property.
At the end of the assessment process do you really have a complete view of the effectiveness of the third party’s security practices and capabilities? Or have you just got a ’tick in the box’ by using a process to get a contract signed? It often may feel this way.
Trust but Verify
Many organisations realise that relying on questions and answers does not provide a clear understanding of the security capabilities of their third parties. These organisations have adopted a “Trust but Verify” approach.
To address this, organisations adapt their questionnaires to ask for evidence to support the answers. Alas, this approach adds further complications…
It adds more time and effort to prepare the answers.
It means sharing sensitive information or intellectual property
Will the assessor analyse the outputs? How will they assess whether the information provided is adequate in providing the necessary assurance?
Getting another opinion
Another approach organisations consider is relying on an independent organisation to vouch for the security management practices of a third party.
This approach means asking for evidence such as an ISO27001 Certification, a SOC2 Type 2 report, or an independent party preparing other forms of audit reports. Some concerns to consider: -
Do you trust the independent assurer?
Is the independent assessor just doing what you would have done (get a third party to respond to a questionnaire)?
Was the scope of that assessment relevant to the relationship?
What testing did the independent assessor do to get evidence?
These assessments are only valid at that moment. Has the situation or environment changed?
May smaller third parties cannot afford the expense of getting an independent assessment or a formally recognised certification.
Taking an automated data-driven approach to cyber risk assessments
Enter the Security Rating and Cyber Risk Assessment providers. There is an emerging market of service providers that can rate the security posture of third parties.
This approach goes one step beyond questionnaires. These service providers collect and analyse telemetry and data points. Some types of information they analyse are vulnerability scan results, threat intelligence data, and public domain information. They use this information to calculate a cyber risk rating and provide a detailed report.
These assessment platforms are also evolving to offer new options to deliver web-portals and workflows to automate the questionnaire processes and make the results easier to share among trusted parties. This data is combined with telemetry data to provide a more complete view of the security posture of third parties.
This approach offers a step toward continuous assurance because the data is kept up-to-date via automated data collection and analysis. This also adds the possibility for real-time alerts to be sent to key stakeholders when there is any significant change in the cyber risk profile of the third party.
So, what do we really want?
A better option is to establish an ability to continuously monitor a third party’s systems to discover vulnerabilities and detect security events or incidents.
We need to start building requirements into contracts to enable new ways to share real-time vulnerability and security event data to achieve this goal. That does mean deeper integration between parties.
Historically, it would have been very punitive, costly and time-consuming to achieve this objective. However, modern software engineering approaches are opening new opportunities to achieve this outcome. The use of APIs to exchange data is the new norm. This can be used to share security-related information to improve the management of cyber risks.
Cloud hosting providers like Amazon, Microsoft, and Google to offer APIs to achieve this outcome. But what about SaaS providers?
Many third-party relationships that organisations have are relationships with SaaS providers to support critical business processes such as customer relationship management, corporate applications such as HR and Finance, and collaboration management.
Many SaaS platforms are still running as ‘black boxes’. That means the customer has no idea whether the cyber risks related to their data have changed. It also means the customer does not know whether there has been an incident or breach until the SaaS providers notices and chooses to notify them.
Organisations that rely upon SaaS providers need to ask more. Some leading SaaS platforms are more forward-thinking and run on the principle of openness and transparency. They now provide APIs to enable enterprises to integrate their security monitoring capabilities to enable real-time continuous assurance and security event & incident management.
We, as consumers of SaaS solutions, need to make this the ‘new normal’. We should be asking for this as part of our procurement and assessment activities. You don’t get what you don’t ask for!
The threat actors are agile in adapting their tactics and techniques to seek their objectives such as theft or modification of data for financial gain. Organisations and their third parties must meet this challenge by creating much stronger methods to integrate security management practices to counter the threat.
The use of questionnaires and independent assurance processes are useful when assessing the maturity and adequacy of security management practices when establishing new relationships with third parties.
Ideally, the relationship organisations must strive to establish is one of mutual trust where real-time information is shared to quickly identify vulnerabilities and rapidly detect/respond to security incidents.