If people have learned one lesson in 2020, it’s that nothing stays the same forever. Change is inevitable, and to remain a viable organization, you need to be agile. In order to meet changing business needs, organizations need full visibility into their supply chain risk, especially cybersecurity risk. However, the traditional third-party questionnaire process drains organizational resources. Automated questionnaire platforms with security ratings embedded into assessments accelerate the questionnaire process by providing real-time visibility so that you can more adequately manage and mitigate risks.
Why third-party risk management is increasingly important
Most organizations know that third-party risk management (TPRM) acts as the foundation of an interconnected business and IT ecosystem. Whether it’s filling gaps in skills or managing a digital transformation strategy, creating partnerships is a way to maintain a competitive advantage in a changing world.
According to Forrester’s “The State of Data Security and Privacy, 2020” report, 21% of confirmed breaches arose from attacks against or incidents at third-party organizations. In parallel, the 2020 IBM Cost of a Data Breach Report noted that 54% of organizations required employees to work remotely, and 76% of respondents believed that this shift would increase the time to identify or contain a breach. Combining these two reports only highlights what many TPRM professionals have been saying for years, organizations need to place more focus on and allocate more resources to their vendor risk management (VRM) programs.
Problematically, TPRM agility lags behind other organizational areas. A Gartner report noted that only 22% of assurance functions have agile collaborations in the face of changing risk. Compliance and assurance departments require you to document your vendor risk mitigation processes; however, many organizations struggle to get the right documentation because the areas that own the relationship lack streamlined collaboration capabilities.
How do you do a third-party risk assessment?
Third-party risk assessments require communication, documentation, and observation. To successfully assess third-party risk, you need to follow four basic steps:
- Identify meaningful risk criteria
- Create vendor risk profiles and customize assessments by profile
- Engage in due diligence based on vendor risk level
- Validate vendor-provided data with objective data, address, and mitigate remaining risks
Not all vendor risk is created equally, yet even vendors who lack access to sensitive data pose a data breach risk. A vendor who connects to your systems, networks, and software can create a backdoor that malicious actors use to gain unauthorized access to your sensitive information.
For example, your vendor’s remote employees access their cloud-based database from home computers. One of those employees accidentally clicks on a malicious link. That employee’s computer is now infected with malware. The employee needs to access your organization’s shared drive, and the malicious code is now on your networks as well. The vendor’s employee may not be accessing sensitive data, but the third-party risk now leads to a data breach at your organization.
When identifying cybersecurity risks across your supply chain, you need to consider:
- Compliance and legal risk
- Transactional risk
- Reputation risk
- Downstream risk
- Geographic risk
Each of these risk types is influenced by your third-party’s cybersecurity posture. For example, malicious actors target some geographic areas more than others or a downstream third-party business partner that your vendor uses creates a fourth-party data risk to your organization.
Security ratings provide visibility into the various risks that your third-party business partners can create, with a low rating indicating a higher risk. As you build out your TPRM program, you need to identify those vendors who increase your compliance, transactional, reputation, downstream, and geographic risk. For example, organizations with a grade of F were found to have a 5.6x higher likelihood of breach compared to organizations with a grade of A.
With security ratings, you gain at-a-glance visibility into the vendors most likely to impact your organization’s risk, allowing you to better prioritize your TPRM program.
Create a risk profile
Once you identify the risk a vendor poses to your IT ecosystem, you need to assign a level of risk to each vendor. Vendors who store, transmit, or collect personally identifiable information (PII) are a higher risk than those who only interact with publicly facing data. For example, your Human Resources (HR) vendor likely stores, transmits, and collects employee PII. Meanwhile, your public relations vendor manages external facing information.
You need to prioritize your risk mitigation strategies based on the level of risk that each vendor poses but also know the applications and vendors that your organization relies on most. Unfortunately, many organizations silo their business units which makes it difficult for risk managers to know how integrated into the organization’s IT stack the vendor is. For example, if the marketing and sales department both use the same Customer Relationship Management (CRM) program, they may be doing their own risk assessments. However, since two departments use this service, the vendor is a higher priority because of the expanded footprint it has within the IT stack.
Engage in due diligence and continuous monitoring
Since your TPRM program revolves around risk, you need to document your risk decisions and monitor your vendors to ensure that their risk posture remains stable. The initial due diligence process requires you to send the vendor a questionnaire that asks about the company’s data security controls and requires supporting documentation. However, the individuals responding to these questionnaires may not have the most updated data regarding controls’ effectiveness. This means that you often need to ask follow up questions, review new documentation, and update questionnaires.
Additionally, due diligence is no longer a one-time activity. Organizations need to continuously monitor their third-parties’ control effectiveness to proactively mitigate new threats. Thus, you need more than questionnaires, you need independent, continuous verification of your third-party risk.
A vendor’s security rating can change as threat actors evolve their methodologies. Organizations engaging in continuous monitoring need to know when a rating changes, but many organizations monitor their vendors manually, even when using a security ratings platform. In other words, unless you dedicate one person to check all of your vendors every day, you’re likely using a rotating schedule of review. While your automation is continuously monitoring your ecosystem, your internal stakeholders may not be.
Building security ratings into your TPRM program
Security ratings provide meaningful metrics that allow you to gain visibility and assess your ecosystem’s cybersecurity risk. However, while the automation monitors for new vulnerabilities, many of the review tasks remain manual. Operationalizing your TPRM program means automating both the monitoring and the business processes associated with documenting your activities.
Verify vendor responses in real-time
Your vendor contacts respond to questionnaires as best they can, but often, those answering the questionnaires lack full visibility into their controls’ effectiveness. By building security ratings into your TPRM questionnaires, you can verify responses in real-time, speeding up the process and reducing operational costs. Consider the following scenario:
- Questionnaire: “Do you install security patch updates within 30 days of their release?
- Vendor response: Yes
- Security rating score for Patching Cadence: D
The person responding to the questionnaire may not be lying, they may not realize that their patching cadence score is low.
With security ratings built into your processes, you immediately validate your vendor responses to accelerate your security monitoring and vendor onboarding.
Customize your questionnaires to meet your unique needs
Cybersecurity and TPRM have no one-size-fits-all approach. Each organization is unique, as is each vendor relationship. For example, even though your enterprise resource management (ERP) and human resources (HR) systems both need to be Payment Card Industry Data Security Standard (PCI DSS) compliant to manage payments, your HR system may also contain healthcare data that needs to be protected under the Health Insurance Portability and Accountability Act (HIPAA). As such, you need a way to streamline the questionnaire creation process while building in security ratings for verification.
Mapping your security ratings platform’s issues directly to your questionnaires allows you to control the responses on a more granular level. Returning to patching cadence as an example, you may be willing to accept that a medium-risk vendor who manages little sensitive data to take 60 days to install a security patch while a high-risk vendor needs to act within 30 days. By mapping the answers directly to the issues, you get more meaningful data for better oversight.
Communicate in real-time
Just because you can validate the responses in real-time, doesn’t mean you should stop communicating. The key to vendors is that they are business partners, which means you work together to make both businesses better. Unfortunately, email’s asynchronous nature and lack of encryption increase both time and risk.
To streamline your communications, you should look for a secure platform that enables real-time communication. Additionally, you should consider a solution that offers notification via email or alert so that you don’t need to be logged into the platform to know you received a response.
Embed SecurityScorecard’s security ratings into your vendor questionnaires
SecurityScorecard’s completely integrated security ratings and Atlas questionnaire exchange platform provides the most data-rich, continuous monitoring platform on the market. With security ratings embedded directly into individual questions in cybersecurity assessments, third-party risk management teams can verify vendor-provided data with objective security ratings.
With the most customizable questionnaire builder, Atlas enables users to choose from over 20 industry-standard questionnaire frameworks with security ratings automatically mapped to individual questions. Using your own custom questionnaires? No problem, Atlas also lets you create your own questionnaires from scratch and designate SecurityScorecard Ratings data that validates that question. If you’re not sure what issues to specify, our machine learning will take care of that for you by automatically designating issues, so you always have an objective view of risk.
Our platform automates repetitive business processes so that your organization can take a more agile approach to third-party risk management. SecurityScorecard offers a Rule Builder that triggers tasks such as sending out questionnaires in response to changes in security rating or a security event. Vendors can leverage our machine learning to automatically fill out received questionnaires which reduces response time by 50% because it removes the needs to copy/paste from previous questionnaires.
Finally, you can more effectively and efficiently send communications with our secure platform. SecurityScorecard’s platform eliminates the need for email back and forth and enables you to ask for clarification right in individual questions with the ability to chat so you can communicate in real-time.