Furthermore, Valente recommends that CISOs create assessments that can easily and quickly flag potential security issues at third parties that would then trigger a deeper dive into their security practices. “Find the questions that are going to give you the red flags,” she tells CSO.
Valente explains that asking third parties how often they test their business continuity plans, for example, or whether they have a dedicated incident response team can help CIOs gauge the maturity of those third parties’ security programs. This in turn can help CISOs determine whether a third party has the minimum required security in place to warrant moving a contract with it forward — or whether a third party should be quickly disqualified from consideration because it can’t even pass the initial screening. Valente notes that CISOs have a lot of room for improvement with their assessment processes. She points to Forrester research, which has found that fewer than 50% of risk decision-makers said their organizations assess all third parties while 10% said they only assess the third parties they’re explicitly asked to assess.
5. Leverage the third-party contracting process to benefit security
When security assessments happen also matters, according to experts. Those security checks on third parties — whether supplier, vendors, or partners — typically happen during procurement, says Tim Witos, vice president of information security and risk management at McKesson, a healthcare and healthcare tech company. Too often the assessments come at the tail end of the process, when much of the negotiation is done, leaving CISOs with little to no leverage.
“Most organizations at best have language about security requirements that are reviewed at signing,” says Witos, who also serves as a council member with the Health 3PT Initiative, a collaborative of care providers, health systems and other healthcare organizations focused on reducing third-party information security risk with more reliable and consistent assurances.
CISOs would do well to get involved early in the procurement process, Witos and others say. They say CISOs should start by educating leaders within their organizations on what security elements will be required of any third parties. CISOs also should communicate early to potential vendors and partners what security standards they’ll have to have in order to ink any deals with the organization.
“We [CISOs] sometimes fail to have a conversation about what we expect,” Witos adds. “So set the expectations of what you’re looking for and why early; understand what you’re looking for a vendor to have when it comes to security. Make your legal team, your sourcing and your procurement team aware of the security requirements you want from your suppliers and explain that those must go into the contracts. Then write up those requirements in a way that the suppliers can understand them.”
Moreover, Witos and others say CISOs should include additional specifics in their third-party contracts to ensure they’re effectively managing third-party risks. Those specifics include requirements for how quickly the third party must notify the CISO (or a designee) if there is a cyber incident and what information the third party will supply. They should also include a clear articulation of what security aspects the third party will handle and which the organization will own, Mettenheimer says. “Know what your vendors are on the hook for. We see time and time again that organizations and CISOs will agree to a contract and believe that a certain level of security is in place [only to learn that] that extra level of security isn’t included in the vendor’s baseline contract.”
Another specific requirement a CISO should demand is the name and contact information of the third party’s security leaders so that the CISO can reach them in case of an event (rather than trying to work through account managers who likely won’t be of much help if there’s a cyberattack).
6. Make third-party risk management an ongoing exercise
Managing the risks presented by third parties doesn’t end once those contracts are signed, says Paul Kooney, who as a managing director at consulting firm Protiviti focuses on innovative third-party risk management program development as well as cybersecurity and privacy compliance. He says organizations with the most effective, and most mature, TPRM programs create ones that are continuous in nature so that they can identify and mitigate risks as they arise throughout the organization’s relationship with each third party.
Rica adds: “Third-party risk management is a process; it’s not an event. Many are very good about that initial assessment. They’re very thorough, they get the required documents, but then they forget about it. They don’t have any way to go back to see if the risks are the same, whether they’ve changed, or whether they need to change the controls. This is where things often fall apart.”
As such, Kooney, Rica, and others advise CISOs to monitor for compliance with contractual requirements continuously and to identify adjustments and updates that may need to be required, noting that third-party risk management program software and automation can support the security teams doing this work while keeping them from being overwhelmed by the task.