Vice President, Information Risk Management
James Christiansen is a seasoned business leader with deep technical expertise and is recognized as a global thought leader. As the vice president of information risk management and member of the Office of the CISO, Christiansen helps CXOs make executive decisions based on the balance of risk and cost. He is responsible for developing and delivering a comprehensive suite of strategic services and solutions to help CXO executives change their security strategies through innovation.
How Do You Measure Third-Party Risk?
How often do thieves use the front door to commit a robbery? I don’t know from experience, but I’ve been told that most go through a window or back door. Third parties can be the back door of a company, and increasingly the source of security failures, financial difficulties, and other problems that disrupt business for the primary organization.
Organizations large and small can have hundreds or thousands of third-party relationships—lots of windows and back doors. Each third party brings with it some level of risk. Now, companies must find a way to secure all these points of entry without breaking the bank.
The good news is that some third parties don’t require total scrutiny. Your HVAC vendor may not require the same onsite audits as your data center provider. The best defensive strategy is to match your due diligence to the level of risk of each third party.
Keep in mind that assessing third-party risk is not an exact science but it can be measured. There are different types of risk—what we want to first measure is inherent risk—the exposure from a third-party relationship. It is the sum of relationship risk and business profile risk.
• Relationship risk looks at the type of service a third party provides, how strategic that service is to the company, and the type of data they are handling (e.g. the data service provider versus the HVAC vendor).
• Business profile risk focuses on who the third party is and the risk they pose. Are they financially stable? If they’re located overseas, what’s their country’s risk rating?Once you know the inherent risk of a third party, you can place it in one of three risk tiers.
1. Tier 1 includes strategic accounts, such as the core technology provider for an OEM. Their failure to deliver could shut your business down or a breach could cause significant legal and reputational harm.
2. Less critical, third parties in Tier 2 still have the power to halt business, at least temporarily—for instance, an e-mail provider or call center.
3. Third parties in Tier 3 pose the least risk because they don’t handle sensitive data or provide services that drive revenue. Don’t forget that Tier 3 third parties do pose some risk and should not be completely ignored. Even an HVAC provider with access to the internal supplier portal can present a risk to the organization.Once you’ve categorized each third party into a risk tier, you can do the right amount of due diligence for that third party. No need to assign a guard dog to the small basement window if thieves don’t even know it’s there.
At the same time, you still want to make sure common business controls are in place before signing the contract—like a padlock on the basement window. You can also reduce risk by requiring higher-risk third parties to strengthen security controls or change contract terms.
In another blog post, we’ll discuss when to review the security controls of a third party and how in-depth they need to be. Your organization deserves the best level of protection possible; however, you don’t want to go out of business providing it.