3 ways to shore up third-party risk management programs
A new Nemertes research study shows enterprises need to adopt third-party risk management programs that jettison manual checklists in favor of automated tools, hands-on risk assessments and dedicated risk teams.
It's hardly news that the enterprise technology paradigm has shifted from on premises to cloud plus mobile. According to Nemertes Research, this is the year the majority of workloads will be in the cloud versus in on-premises data centers.
More broadly, technology is moving from physical (servers and data centers) to virtual (virtual machines, containers and public or private cloud services). In addition, supply chains are increasingly global and opaque, which means an enterprise has less and less insight into where its products and services originate or whose hands they pass through before arriving.
All of this changes the game for cybersecurity professionals and nowhere more than in the practice of third-party risk management programs and the best practices they should include.
Third-party risk management programs refer to the practice of validating the cybersecurity technology, processes and practices of third parties that do business with the enterprise. These third parties are typically suppliers, but they can also be customers, distributors or any other organization that potentially can compromise an enterprise's cybersecurity.
Three changes needed to manage third-party risk
Today's paradigm shifts have several implications for cybersecurity professionals in charge of third-party risk management programs.
First, third-party risk managers need to increase their hands-on involvement in critical risk assessments. According to Nemertes' new 2019-2020 Cloud and Cybersecurity Research Study, only 14% of organizations conduct hands-on risk assessments. That needs to change, at least for services enterprises consider critical.
Case in point: Last fall, Amazon reportedly detected a physical bug on server boards from Super Micro Computer, a U.S. company founded by Chinese immigrants. The chips appeared to have been placed there by unauthorized third parties -- believed to be Chinese hackers -- for the purpose of injecting malware into the servers.
Here's the kicker: Amazon allegedly discovered the hardware hacks in the context of purchasing Elemental, a video compression software startup that had contracts with major U.S. defense intelligence agencies. Amazon discovered the bug while conducting a hands-on check.
The point? If the stakes are high, don't just take the supplier's word for it during a paper audit. You need to conduct a physical or hands-on test of the hardware or software or during a walkthrough of the facilities.
Second, even those paper audits need to be automated. Nemertes research study revealed more than half (58%) of organizations only ask third-party suppliers to complete a checklist, either on a one-time basis or annually. That's not good enough.
Almost a quarter (23%) of organizations surveyed by Nemertes said risk is a critical factor in workload placement -- they rate it a 10 out of 10 in importance.
A slew of automated risk management and risk assessment tools are on the market, and more emerge daily. Companies like UpGuard, Optiv, RiskRate, Capterra and others make the process more automated. Ideally, whenever a third party undergoes significant changes in technology, processes or policies, those changes should be reflected automatically in its risk rating, and risk management professionals should be proactively advised. The tools help make that happen.
Finally and most importantly, none of this will happen unless risk management becomes a serious discipline in its own right. Almost a quarter (23%) of organizations studied by Nemertes said risk is a critical factor in workload placement -- they rate it a 10 out of 10 in importance. Workload placement refers to where a computing workload executes in the organization -- on premises or in a public cloud. Yet, most organizations lack a focused and funded team that specializes in third-party risk management program and has the technical chops, executive support and budget to ensure success.
Bottom line: Risk management matters. If you're still using a manual paper audit centered on checklist completion for your third-party risk assessment program, now is an excellent time to rethink your approach to include a mix of automation and hands-on assessment.
Enterprises concerned about third-party risk management programs that still use manual paper audits need to rethink a best practices strategy that includes automation and hands-on risk assessment.
