Vice President, Enterprise Security and Risk
Chris Gray is the vice president for Optiv's enterprise security and risk practice with over 15 years of experience in information technology, information security and information risk management. He leads the team in achieving customer requirements with implementing information security, risk management and compliance management programs.
Common Failures of Third-Party Risk Assessments
Third-party risk analysis – whether used to evaluate partners, service providers or suppliers – is a necessity in today’s business landscape. Assessing the services provided by external agencies is often as critical to an organization’s success as their own internal practices. However, many companies follow inconsistent approaches that don’t give an accurate picture of the risks associated with “outsourcing” services. Fortunately, the failures commonly seen in third-party risk assessments are relatively easy to address if you apply effective and consistent practices.
A failure to understand the things that truly matter. As assessors, we frequently concentrate on information technology concerns such as trouble systems or known vulnerabilities. Our “IT security” or audit backgrounds make this approach comfortable, but we fail to understand why, or if, those things really matter. Financial and reputational loss results from the exposure of our most sensitive information resources, compliance obligations, critical business process flows, and exposure vectors. Anyone who has ever performed a business impact analysis knows that figuring out where each of those concerns live is far more difficult than just pointing to the production environment and getting to work. Third-party risk assessments should begin with a scoping process to understand the things that have the largest possible impact to the organization.
Applying a “one size fits all” approach. Third-party risk assessments should not treat each vendor relationship as if they are equal. As explained in a previous blog post, third parties can be mapped to one of three risk tiers, which determines the level of due diligence you perform. This helps an organization determine what sorts of assessments are needed, how often they should be performed, what scoring mechanisms should be put in place to measure the results, how critical the remediation activities are, and how the results can be included in the enterprise risk management approach. If all of the gold actually was in Fort Knox, it would be easy to guard. Our gold, however, is spread far and wide; and in a world of limited time and resources, we’ve got to focus our protection efforts accordingly.
Not developing and applying applicable standards when evaluating risks. This can result in ineffective judgment metrics. It is true that comparisons need to be performed using a consistent set of criteria, and organizations can leverage many widely-accepted standards such as those promoted by The Santa Fe Group SIG, HITRUST, or the ISO frameworks. However, even after a company has accepted one of these common control sets, the evaluation criteria must be tailored to fit the nature of the third-party relationship. Organizations often fail to apply these personalized evaluations to each third party; and the result is evaluations that do not provide data that can be easily correlated or are skewed by assessing control failures that have no bearing upon the relationship. We need an apples-to-apples evaluation when such is possible, but we’ve simply got to accept that sometimes our third parties don’t even sell fruit!Organizations are increasingly attempting to use the services of third-party organizations to augment or replace their own capabilities. This sharing of responsibilities brings exposures that must be understood, evaluated and mitigated. As risk management professionals, we must apply repeatable and defendable practices to evaluate those exposures and understand how they must be treated to provide adequate security to our company. Those steps must include an effective understanding of information assets, scoping of required activities and the execution of consistent, applicable reviews.