The CISO of a large state agency shared with me the automated tools he used to mine intelligence about his IT suppliers, and their sub-suppliers and interconnections by way of vetting for security posture. He truly recognized the threat of third parties long before the SolarWinds hack. His due diligence sparked inspiration for this blog.
Can a business assume that third party security controls are strong enough to protect their digital supply chains? What about cloud-based assets? Who is responsible when a business is breached? Is that totally “on” the supplier(s) involved? And what about subcontractors to suppliers?
The answers may vary by circumstance. But at day’s end a business is ultimately shares responsibility for the security controls governing its third party engagements. No, organizations cannot depend on suppliers to fully plug the huge gap spanning cloud, web, and software services. They cannot rely on suppliers to maintain the same security standards aligned with to its own business environment. No organization can count on suppliers to monitor their sub-contractors. Lastly even many corporate security contacts are unaware of all the third party development and networks involved thanks to “shadow IT”.
Now add to this mix the legalities. Legislation such as the California Transparency laws and GDPR hold businesses accountable for the unsafe security practices of their suppliers. The forecast is that further legislation by on a state by state basis will be unfold over time as third party breaches continue to make major impacts and the headlines.
Small wonder why many managers get that “rabbit in the headlights” when the topic of third party security risk management arises. Imagine their agonizing over supplier evaluations, performance and decisions fraught with so many unknowns inherent to manual risk management. There are so many third parties involved. The resulting multiple and disparate risk reports create the case of not seeing the forest for the trees.
What’s the weakest link in the supply chain herd?
- Cloud services?
- Third party networks?
- Web applications?
- Managed IT services?
Answer: all of the above. Any third party that touches upon business data or systems is part of the supply chain threat.
What are key user benefits of automating security risk assessment to monitor the supply chain?
According to the AT&T Governance Group, there are 4 key benefits to identifying and assessing such supplier risk across a global supplier portfolio:
- A quantitative measure of data security risk, a risk tolerance and performance standard against which we can evaluate program results.
- Real-time, actionable information, mapped to Supplier Information Security Requirements (SISR) controls, enabling ongoing engagement with supplier security organizations.
- Intelligence to focus the timing and scope of security assessments.
- A means to identify and assess 4th party supplier risk across the global supplier portfolio, a key AT&T concern
All these tallied up to the business case for adapting supplier assessment technology to support such a Supplier Oversight Program.
How does 3rd party cyber risk management service work (and why)?
Automated vendor assessment services like Fortify Third Party Risk Management (TPRM) have the capability of discovering primary suppliers and their second to fourth tier suppliers.
Each vendor has its own infrastructure of assets, IP’s, and domains. Third party risk assessment tools help analyze associated web applications using natural language and machine learning. The resulting identified signatures relate to a service provider or product. The signatures indicate 4th party relationships which are associated back to the vendor in question.
Risk aggregation across the supply chain
Lastly data is pulled from across the entire client supplier portfolio and aggregated to identify areas of concentrated risk and to spot any single points of points of failure. These two points are especially important in evaluating the viability of the primary supplier to host business continuity functions, and moreover, be backed up by a reliable network of tiered suppliers. Note, service providers are shown with security trend links, ratings and links to dependent companies.
Greater 3rd party visibility than ever
The benefits of harnessing machine learning to leverage data masses of supplier intelligence cannot be underestimated. The blind spots of security risk and incomplete dependencies of tiers are addressed. The objectivity of rating supplier security posture is enhanced. The overall procurement decision is better supported. The subscription cost is justifiable vs. a third party breach incident. The service is easy to use. In all these pluses are relevant discussion points with our clients grappling with the dense ball of third-party management.