Serg Nvns - Fotolia
It doesn't matter how securely an enterprise locks down its systems if trusted third parties can't be trusted to protect their own security. As organizations increasingly rely on a growing contingent of suppliers, customers, contractors and other third parties to securely access their sensitive resources, third-party risk management is necessary to prevent attacks on those resources.
Developing a strong cybersecurity defense in depth should be a priority for enterprises, but the effort can't stop at the increasingly porous network perimeter. Organizations that extend their security stance to encompass the trusted -- and untrusted -- third parties who access enterprise network resources will be better positioned to avoid increasingly persistent attackers trying to exploit vulnerabilities.
In a recent Q&A, Jon Oltsik, senior principal analyst at Enterprise Strategy Group in Milford, Mass., and founder of the firm's cybersecurity division, explained what third-party risk management is and what the greatest challenges are in managing that risk.
Editor's note: This interview was edited for length and clarity.
What is third-party risk management, and what should people know about it?
Jon Oltsik: Third-party risk management is assessing risks associated with anyone that you do business with, specifically online. Let's say you're a supplier of mine, and I've set up my inventory systems to automatically order parts from you when my supplies get low. That's just-in-time inventory management, but it's done electronically to maximize efficiencies on both ends.
That's good from a business perspective. But what if you don't patch vulnerabilities, you hire suboptimal staff or you don't have enough staff people, and you generally underinvest in security? You're linked to my systems, so that presents a tremendous risk to me.
That's just one example. A few years ago at RSA, I hosted a panel, and one of the members of the panel was the CISO of Boeing. He told me that Boeing has identified 400 critical suppliers, and his main concern was the security of those 400 companies. You can see the scale associated with that -- I don't control my partners' systems, but those systems have direct links to my systems. How do you manage that effectively? That's really what third-party risk management is all about.
How is third-party risk management evolving, and how can cybersecurity professionals adapt?
Oltsik: The way that we managed this in the past was you provided my company with widgets, and I qualified a bunch of different suppliers, and you won the contract. Then, I would say, 'OK, please fill out this form and answer all these questions about your security, and then send it back to me.' You'd answer the questions to the best of your ability, and you'd send it back to me. And that would be it.
That's the way I would assess risk, and I would probably do that on an annual basis. But that's not a good reflection, because I'm trusting your judgment. Even if you are trustworthy, you might make some mistakes. Secondarily, once you send me back that piece of paper, henceforth for the next 364 days, things are changing in your environment. So, I'm not assessing risk accurately.
How can you get a more accurate assessment of third-party risks?
Oltsik: There are lots of ways I can do that. I can audit your systems on a periodic basis -- even a surprise audit on my discretionary times, not yours.
More recently, there are vendors like SecurityScorecard and BitSight that provide some insight based on what they can scan on the public network as to your vulnerabilities. So, I may subscribe to those services and get a better view of risk that way.
It's tricky, but those are the kinds of things people need. And the big challenge is just visibility: How do I get visibility into your system so that I can at least understand what the risks are and then collaborate with you on risk mitigation?