One of the most frequently debated topics in the disciplines of risk management and cybersecurity is how to effectively manage the risk posed by untrusted third parties in the supply chain. This is for good reason, as recent high-profile incidents involving third parties (e.g., the Kaseya,1 SolarWinds,2 Okta3 and Microsoft4 incidents) have impacted numerous enterprises and made it clear that the risk associated with third parties is substantial.
Despite this, many organizations continue to rely on ineffective solutions for managing third-party risk, such as third-party risk analysis services or the infamous customer security questionnaires. These are no longer sufficient, and as such, it is necessary to explore alternative solutions for achieving effective risk management.
Third-Party Risk Analysis Services
The inefficiency of third-party risk analysis solutions is due to their reliance on inaccurate data. In many cases, these solutions attempt to assess an enterprise's security posture using information readily available on the Internet. Typically, this information comes from sources such as public websites, email server settings and leaked credentials, all of which probably have nothing to do with the products and services an organization offers.
With the exception of certain Software-as-a-Service (SaaS) enterprises, software development teams often have little to do with an organization’s email servers or online presence. Instead, the majority of organizations outsource or externally host these services. There is no relationship between the vulnerabilities of a website or the settings of a mail server and the quality of the products produced and distributed by the enterprise. This gap also exists in other supposed security posture indicators (e.g., exposed credentials) which are often not associated with internal security processes and policies, but rather, with unrelated sites that had their data compromised.
In other words, what enterprises consider to be security posture indicators provided by third-party risk analysis platforms and solutions may not accurately reflect the true security posture of the organization.
Security Questionnaires
The use of security questionnaires is also an ineffective method of analyzing an organization's security posture. Several factors contribute to their lack of efficacy, but the most significant are:
- Some questionnaires are overly general. For example, a customer inquiring about an organization’s cloud practices when they only consume on-premises software provides no insight into the presumed risk, but generates more work for both the supplier and customer.
- Some questionnaires resemble the International Organization for Standardization (ISO) standard ISO 270015 far too closely. Those who believe that certification implies security should simply request that certificate rather than relying on a questionnaire. Earning an ISO certification is more effective than having untrained analysts review sections of ISO 27001.
- Some questionnaires are too detailed. Instead of addressing the risk itself, they require technological safeguards such as access control techniques, password complexity settings and antivirus signature updates.
In addition, at no moment in the process is there any assurance that the answers on the questionnaire are provided by a knowledgeable individual and not an overzealous sales department. Finally, a significant number of questionnaires request notification within 24 to 48 hours if a security breach occurs. Expecting such a quick turn-around from small startups and organizations without a security department is an indication that questionnaires function as a checklist exercise and not genuine risk management.
Expecting such a quick turn-around from small startups and organizations without a security department is an indication that questionnaires function as a checklist exercise and not genuine risk management.
With these inherent flaws, it is not uncommon to see misrepresentations of an organization’s security posture, maturity and controls, similar to when a salesperson is exceedingly eager to close a deal or when a vendor views cybersecurity as merely a box to be ticked before the transaction can be finalized.
Adding the results of the questionnaires as addendums to the contract to contractually bind the supplier regarding their security practices and commitments may be feasible, but only if the contracts did not have the typical limitation of liability clauses with a cap that is quite low for a cybersecurity incident.
Is There a Solution?
Given the current state of security of most organizations as proven by continuous data breaches, it is clear that there is no easy solution to this issue. However, speaking generally, enterprises should start by assessing the risk associated with each third party individually.
Because not every outsourced service or product exposes the organization to the same level of risk, it is important to assess the likelihood that the outsourced service or product will become unavailable, or that sensitive information will be compromised. In other words, an organization must conduct a standard risk assessment. Most of the time, third-party risk does not justify the time-consuming completion of security questionnaires, contract negotiations and other similar tasks. If the risk assessment does not reveal any significant risk and the organization’s security certifications are acceptable, their existence and scope can be validated as an assurance control.
A customer understanding their own capabilities is another method to avoid the burden and the theatrics that come along with the security questionnaires. Does it make sense to ask a large security enterprise, for example, to fill out a questionnaire when one's own capabilities and maturity level are limited?
The last option is to conduct an audit or discussion of the specific business processes that are risk-vulnerable or contribute to risk. This requires risk-aware personnel on both the vendor and customer sides, and this exercise, similar to any other risk management activity, should ultimately result in the creation of a remediation plan. The third-party contract could then incorporate this plan.
Although there is no universally recognized criterion that specifies what level of security is considered adequate, the EU General Data Protection Regulation (GDPR)6 contains provisions for sanctions, which can be paraphrased as "You will be fined if you did not do what you needed to do to have an appropriate security posture for the services you provide." This regulation allows data protection authorities (DPAs) to determine what is appropriate in each individual case. GDPR only applies to private data, however, and does not cover breaches of non-personal data or other security incidents. Nonetheless, it remains the best available model and provides a solid foundation for future expansion.
The US Securities and Exchange Commission (SEC) made the correct choice when it updated and enacted new rules in July 2023 related to cybersecurity. As the US Sarbanes-Oxley (SOX) Act7 demonstrates, misrepresenting to the SEC is not something one would do carelessly. In light of this, the industry should grasp the opportunity to address the ineffective third-party risk management practices that are presently in place, and the SEC should put some weight behind these new rules.
Endnotes
1 Hill, M.; “The Kaseya Ransomware Attack: A Timeline,” CSO, 19 November 2021
2 FireEye, “Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With Sunburst Backdoor,” 13 December 2020
3 Page, C.; “Okta Confirms Another Breach After Hackers Steal Source Code,” TechCrunch, 22 December 2022
4 Reed, J.; “Lessons Learned From the Microsoft Cloud Breach,” Security Intelligence, 24 August 2023
5 International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC), ISO/IEC 27001–Information Security Management, Switzerland
6 Gdpr-info.eu, General Data Protection Regulation – GDPR
7 Sarbanes-oxley-act.com, “The Sarbanes Oxley Act”
Michalis Kamprianis, CRISC, CCSK, CISSP, ISO 27001 LA
Is a cybersecurity executive currently serving as the director of cybersecurity at Hexagon Manufacturing Intelligence. With a career spanning more than 25 years, he has held key roles across various industries. His expertise lies in cybersecurity, particularly as it relates to digitalization and digital transformation initiatives. Recognized as a dynamic change catalyst, Kamprianis assembles high-performing, multinational teams. He also actively mentors and educates emerging talent in the realms of risk management and cybersecurity.