Director, Risk and Threat Management
James Robinson is responsible for our internal information risk management and threat management programs within information security and is a member of the Office of the CISO for Optiv. Robinson uses real world experiences to help enterprise-level organizations to solve their security and related business issues. He also develops and delivers a comprehensive suite of strategic services and solutions that help CXO executives change their security strategies through innovation.
DEF CON is Here: A Reminder to Manage and Remediate Security Vulnerabilities of Your Third Parties
Every year I like to take a look at the talks at Black Hat and DEF CON to see if there are areas of risk I need to review. This year, like others, has focused on different hacking and defensive techniques. It also included a theme on cloud components as well as IoT, and new vulnerabilities within both. If your organization develops these products, you have the ability to talk with the development teams and review the devices for the vulnerabilities.
However, for many of us, we are not able to review these devices for the vulnerabilities very easily. For those that fall in this camp you will need to have conversations with the vendors and manufactures about their controls and specifics, which is a manual and grueling process. Luckily organizations can leverage their third-party risk management processes, if they have them, along with the ability to create customized questionnaires to address these vulnerabilities with their manufactures.
In my previous blog post, Three Steps for Management and Remediation of Security Vulnerabilities, I shared how organizations would look for vulnerabilities within their vendors. This same process applies to IoT and cloud systems. In preparation for this week’s activities it might be a good step to review your organization and perform any preparations you can. Some key areas that stood out this year include:
- Exposure areas – Understand where your key exposure areas may be including operating systems and other systems on your network
- Third-party risk – Define your key third parties and technologies being used to deliver critical business services
- Incident response program – Take a quick moment to review and share your incident response plan and run book adding in some quick stop gaps (i.e. do you know what to do for cloud, IoT and third parties?)
To ensure your vulnerability response program is comprehensive, dedicating time and resources to your third-party risk management program is a must and there is no better time than the present.