Brad Keller, JD, CTPRP, Senior Director, Third-Party Strategy, Prevalent Networks, examined third-party vendor risk management and how today’s businesses can bridge gaps in a cyber security program in his presentation to Argyle’s CISO membership at the 2017 Chief Information Security Officer Leadership Forum in New York on Feb. 2. In his presentation, “A Smarter Approach to Third-Party Vendor Risk Management,” Keller provided tips to help businesses identify and address third-party vendor cyber security threats.
According to Keller, the success or failure of a business’ cyber security program often is dictated by the company’s third-party vendors.
“Your cyber security program is only as secure as the cyber security program of your key and critical business partners,” Keller stated. “[Your third-party vendors] are your critical business partners, and they’re the key to [your cyber security program].”
Companies must find out how their third-party vendors handle cyber security dangers. If a company uses a third-party vendor that lacks the necessary cyber security programs and protocols, the business, its employees and its customers may be at risk.
“Not only do you have to manage [your cyber security program], but you need to make sure that your partners are managing [your program] as well,” Keller noted. “If you’re struggling with [cyber security], imagine what’s happening with your vendors.”
Furthermore, Keller stated many businesses understand that cyber security threats exist, but few companies know how to address such issues effectively. The lack of cyber security insights – and the inability to generate these insights day after day – may cause serious problems for companies of all sizes.
“When you think about the time it takes to do a [cyber security] assessment of a critical vendor … it is a time-consuming process.”
Keller also pointed out that cyber security assessments usually are insufficient. In many instances, these assessments can be costly and time-consuming and fail to provide businesses with real-time cyber security insights.
“When you think about the time it takes to do a [cyber security] assessment of a critical vendor … it is a time-consuming process,” Keller said. “Regardless of the assessment that you do, the numbers indicate that you’ll spend about 50 percent of your assessment time sending out your assessments and performing due diligence.”
In addition, Keller noted cyber security assessments often provide cyber security insights that are relevant for only a short period of time.
“[An assessment] takes place at a static point in time,” Keller pointed out. “The information isn’t good the day after it was written up because you don’t know what is going to change.”
A unified approach to threat management can make a world of difference for businesses. This approach ensures companies can learn about prevalent cyber security threats, find out the sources of these problems and respond accordingly.
“[Threat intelligence] solves the point in time dilemma. It solves the stale data dilemma. It’s giving you more real-time access and real-time information about what’s happening with your vendors.”
To take a unified approach to threat management, Keller said a business must focus on three areas:
Keller indicated that businesses must be able to classify their third-party vendors based on the types of data they use, systems accessed and availability. Companies also should examine whether a vendor stores data on- or off-site.
Moreover, businesses should evaluate the role that a third-party vendor plays in a company’s day-to-day operations. By doing so, companies can determine what types of data that this vendor should be able to access and implement cyber security protocols as needed.
“It’s not just the system that they go into, but also the systems where they can go,” Keller said. “You’ve really got to think about the authorization that you provide.”
2. Threat Intelligence
Threat intelligence can make or break a business, and perhaps it is easy to understand why.
Keller stated ongoing threat intelligence provides businesses with real-time insights into how a third-party vendor evaluates cyber security dangers. He pointed out that threat intelligence may provide cyber security insights beyond those that businesses can obtain with traditional cyber security assessments as well.
“[Threat intelligence] solves the point in time dilemma. It solves the stale data dilemma,” Keller said. “It’s giving you more real-time access and real-time information about what’s happening with your vendors.”
Many third-party vendors are developing cyber security information packets that show how these companies handle cyber security issues. The packets offer valuable cyber security insights and may make it easy for companies to determine whether to work with various third-party vendors.
“I think the future looks at how you share information,” Keller said. “With collaboration, we’re not talking about you sharing risk controls; we’re talking about sharing data.”
With the right approach to cyber security, companies can make more informed decisions to protect their sensitive data. In fact, businesses that allocate the necessary time and resources to understand the cyber security landscape may be better equipped than other companies to minimize cyber security threats both now and in the future.
Visit Argyle Executive Forum's CYBERSECURITY LEADERSHIP FORUM - San Francisco in San Francisco, CA on Mar 19, 2020