Accounting for Third-Party Risk in Strategic Planning

Third parties expose organizations to strategic, operational, financial, and compliance risks. In addition, security leaders have less visibility into third parties than into their own businesses. For many organizations, the pandemic exposed the fragility of the organization’s third-party network and impressed the need to flex quickly to new third and fourth parties in the extended enterprise to meet demand without increasing risk exposure.

Recently, CISOs in the Philadelphia community gathered for a virtual discussion on how to account for third-party risk in their planning processes. CISO Eric Zematis of Lehigh University, Vice President and CISO Nancy Hunter of the Federal Reserve Bank of Philadelphia, CISO Doug Mayer of WCG Clinical, and Executive Vice President and CISO Donna Ross of Radian Group led the discussion for their CISO peers. 

The security leaders shared how they are standardizing third-party risk management assessments, creating visibility for third-party relationships, and mitigating the risks of their third-party networks. 
 

Actions CISOs Are Taking Now

The discussion leaders kicked off the session by sharing some actions they are currently taking to manage third-party risks. One CISO shared that his organization is conducting risk surveys for new vendors, along with security, technology, legal and privacy reviews. Another security leader mentioned that they are taking similar actions, plus their vendors have to comply with government regulations. To be fully compliant by government standards is difficult to achieve, which gives their team an upfront indicator about a new vendor.

Another CISO noted that his organization maintains a large vendor registry with a “robust vendor classification process,” indicating the level of risk that vendor represents to the company. There was general agreement that CISOs and their teams have to evaluate if what they read from vendors is also what they see and hear. 

One CISO said that certifications can be helpful in “driving ownership and accountability,” but also cautioned that there could be some level of “checking a box” on certifications. Another executive agreed that vendor documents “can become boilerplate… they’re standard now,” and additional vetting is required.

We don’t just ‘trust’ [vendor] documents… We have to dive deeper.”

Collaborating Cross-Functionally on Mitigating Risk

One of the security leaders shared that their team is not considered the “owner” of third-party risk management. Rather, the ownership lives in Procurement and responsibilities are shared across the security, HR and Legal departments, with the teams “working in parallel.” Another CISO shared that their team finds it essential to work across the business to create a culture around risk management, saying, “We partner early and often with other teams.” It’s particularly helpful to identify strategic investments well in advance giving all internal teams time to conduct reviews. 

Another executive noted that internally people are starting to think about their software dependencies and questioning what they are using and why. As business resiliency becomes the focus, they are finding some consolidation of third parties or not having a vendor for multiple purposes around the organization. In general, security leaders agree that it’s necessary to work internally to create a culture of risk management and make sure that information security does not become a “formality.” 
 

Key Takeaways from the Discussion

• Third-party risk management is fluid. Conducting risk assessments has changed over the past two years: GLBA has become more restrictive, and the focus has changed to ransomware. Risk assessments are also more holistic, involving business risk, financial risk, security risk, operational risk, legal and contracts, and HR and people risk. 

• The volume of work has increased and is “people” intensive. They see wide adoption of GRC tools, scoring methodologies and scorecard tools. These can help with the workload, but additional due diligence is required. One CISO noted that scoring “helps to inform and supplement other things we are doing.” Some are adding protections to vendor contracts. One challenge is “rush requests” that require a quick turnaround for review.

• Business resiliency is critical. Security leaders are thinking about ransomware's impact on the whole business and how quickly the business can recover. They increasingly collaborate cross functionally with other business partners, such as Legal, and they may conduct table top exercises with suppliers. 

• CISOs are helping suppliers be successful. CISOs are ensuring that third and fourth parties are captured in the contract or SOW. They are educating others internally on supplier relationships to capture everything they need. They may also classify suppliers to draw attention to the most critical ones and conduct onsite reviews for the most important suppliers.
   

Continue the Conversation

Evanta’s Philadelphia CISO Community will be continuing this conversation in person at the Philadelphia CISO Executive Summit on November 15. 

Find your local Evanta CISO Community to connect with C-level executives from the world's leading organizations and discuss the most critical issues impacting security leaders today, or see when your CISO community is gathering next here.

by CISOs, for CISOs

Join the conversation with peers in your local CISO community.