GUEST ARTICLE
Are you as CISO doing enough today to mitigate your third-party security risks?
By Marc Vael
In today’s complex cybersecurity landscape, one of the critical responsibilities of a modern CISO is to manage third-party security risks effectively. As organizations increasingly rely on third parties for business and IT operations, the exposure to potential security threats from these external partners has risen dramatically. This trend is evident from recent high-profile incidents, such as the CrowdStrike software patch crisis on July 19th, 2024, which led to a Blue Screen of Death (BSOD) causing widespread disruptions across multiple industries worldwide including airports and airlines, supermarkets, media companies, banks, etc.
Outsourcing cybersecurity functions to third parties has become a common practice nowadays, with these external providers often selected as experts in their field. However, while these partnerships can bring significant benefits, they also introduce a series of new risks. Managing these risks effectively requires a robust Third-Party Risk Management (TPRM) process that goes beyond mere compliance with legal, regulatory, and global standards.
TPRM Explained
TPRM is the process your organization uses to manage the strategic, tactical, operational, financial, logistical, and reputational risks associated with using third parties and to verify that they comply with specific laws, regulations, and global standards to avoid negatively impacting your organization.
Here are some key security risks associated with third-party relationships:
1. Security accountability
If a third party fails to comply with security laws, regulations, or global security standards, your organization could face severe consequences, including fines and penalties, operational disruptions, and reputational damage.
2. Reliance on external security
Outsourcing security functions can be cost-effective, but it also means that a security incident at a third party—or even one of their suppliers—can directly impact your operations and data security.
3. Dependence on external IT Disaster Recovery and Business Continuity Plans
If a third party experiences an outage, your entire business could be disrupted. Bugs, human errors, infrastructure failures, or cyberattacks can have a cascading effect on your productivity, and resolving these issues is often beyond your control. Maybe it is wise not to “put all your eggs in one basket”?
4. Lack of strategic security alignment
Third parties have their own business priorities, which may not always align with your organization’s security goals. This misalignment can leave you unprepared for potential security gaps.
Not every third-party relationship requires a comprehensive risk assessment, but all should be documented in your third-party register. Ultimately, your organization’s board and executive leadership are accountable for approving the TPRM policy and setting the “tone at the top”. As CISO, the challenge of protecting your organization from third-party security threats falls squarely on your shoulders since everyone else expects you to keep the business secure in terms of confidentiality, integrity, and availability.
For critical third-party relationships, there are at least five areas you must focus on:
1. Assessing the real cybersecurity controls in place
Do you fully understand the cybersecurity controls in place at your critical third parties? You can start by reviewing their most recent compliance reports, gathering relevant client references, assessing liability and insurance, and conducting thorough background checks. SOC 2 reports, independent third-party risk assessments, and dynamic security questionnaires are crucial tools in this process. But remember, your third-party risk assessment is as effective as the information it relies on.
2. Ensuring the right number of qualified personnel in place
The current job market is volatile, with security personnel frequently changing roles. Do you know if your critical third parties have enough qualified personnel to deliver the services your organization relies on? Relying on a single “magic bullet” expert at a third party is “very high risk”.
3. Validating fourth & fifth parties
Do you know who your third parties rely on to deliver their services? Even though you may not have direct contracts with fourth or fifth parties, their actions can still impact your organization’s security posture. Ensure you have visibility into these relationships. This is not just relevant for privacy controls (sub-processors), but also for security risk assessment.
4. Testing Incident Handling and Continuity Plan
How recently have your critical third parties tested their incident escalation, IT disaster recovery, and business continuity plans? Independent audits and regular tests are essential to ensure these plans are effective. Critical third parties should disclose breaches to you (often within 12 to 24 hours).
5. Managing the offboarding process
What happens when your relationship with a third party ends? The “end game” of any contract will happen and is often conveniently “forgotten”, but is especially important for you as CISO. Ensuring a secure and complete offboarding process is crucial to prevent unauthorized access or misuse of your data after the contract ends.
To stay ahead, leverage CISO networking communities where you can confidentially share and gather experiences amongst peers with specific third parties. Additionally, consider using tools that automate third-party risk management tasks, such as monitoring open-source intelligence feeds, assessing control implementation, and continuously tracking vulnerabilities and cybersecurity incidents that happened at the third party.
TPRM is not a one-time task but an ongoing process of assessment, mitigation, monitoring, and reassessment. The risk profiles of your critical third parties will evolve over time due to changes within their organizations, market conditions, geopolitical issues, and regulatory developments. Regularly updating these risk profiles is essential to maintaining a strong security posture. Getting alerts on time is key for a CISO before getting questions from executives or board members.
As CISO, your role is to ensure that third parties meet their obligations to your organization and to provide informed recommendations to your board and executive leadership. If a critical third party is underperforming, you as CISO must be prepared to suggest alternatives before the situation escalates into a crisis and thus before the board of directors, executive management, and business leaders will come and look to you for answers.
Third-party vulnerabilities are becoming more widespread in modern business, even for established well respected (security) service providers working with the largest multinationals in the world. Each organization has its unique risk tolerance, and what is acceptable for one might not be for another. While managing third-party risk is a collective responsibility, as CISO, you must lead the security risk review and ensure that risks remain within acceptable levels.
The last thing you want to be is the CISO who dropped the ball on addressing a specific third-party security risk that became a major security crisis impacting your entire organization.