Vice President, Third-Party Risk Management
As vice president, third-party risk management, Robinson oversees Optiv’s Third-Party Risk Management practice which includes the development and operations of TPRM-as-a-Service and Evantix. During his tenure at Optiv, he has worked as a core contributor around strategic internal initiatives including threat management, risk management, third-party risk management, vulnerability management and data program protection. He also develops and delivers a comprehensive suite of strategic services and solutions that help chief experience officer (CXO) executives evolve their security strategies through innovation.
The Business Trusts the Third Party – Should You?
Outsourced Business Functions Require a Back to Basics Approach
In this day and age we are faced with some hard facts within information security. One of those facts is that breaches are imminent and we must be prepared. Watching events unfold around us, organizations have taken to heart that breaches and incidents are a top priority, not only to prevent but to have a plan ready to respond if they are impacted. As a result, an increased number of organizations have invested in incident response (IR) tools, processes, skilled resources, as well as retainer and managed services. However, we still find there is progress to be made.
Beyond the increase in breach potential, information security leaders are also challenged with the fact that the business of today is not the same as the business of yesterday. Broadly speaking, organization of all shapes and sizes, in one way or another, execute business utilizing third-party relationships. Some of us leverage third parties to complete critical business functions, while others utilize third parties to provide services and support to clients. When we dissect this new business model and how it impacts our security programs we are faced with the fact that our existing approaches and investments, while still needed, will not support this changing landscape.
Information security organizations must rise to meet the challenge. We must evolve our programs and practices to support the increase of outsourced business services and the continuously rising probability of a breach. As we make adjustments to our traditional models, we find ourselves in a world where our first-party focus has left us severely unprepared to make changes requiring organizations to go back to some foundational principles and pillars and start with the basics.
There are four foundational pillars of a third-party information security strategy.
1. Business Alignment
One of the key pillars that will set the tone of a successful third-party relationship starts with business alignment and business support (legal, contacts, privacy, compliance, etc.) involvement. Go beyond the traditional projects and partner with your legal, compliance and IT teams on one or two key business initiatives.
2. Risk Governance and Legal Contracts
Another foundational pillar is governance and risk management, which is set forth in the form of contract language and different degrees of risk assessments. Most programs have started adjusting contract language to include security controls and program oversight, however, they do not include the proper measures when it comes to incident response and language supporting the involvement and communication with a security incident or breach. Learning about an incident from a third party is stressful enough. Having no actual data on the true understanding of the investigation is worse.
A real world scenario to consider. Your organization is contacted by an anonymous third party stating that all of the data hosted by one of your third-party vendors was compromised and stolen. You know the data likely contains PII on your customers and you have no understanding of how the data moves within the third-party application or how the data is stored on the back-end systems.
When your legal team contacts the third-party provider they simply provide you with access to the unstructured data, dumped from their production AWS S3 bucket. Immediately after providing the data, the third-party’s legal team determines that there is no contractual language between the two organizations supporting an investigation or any type of assistance. The third party simply stops responding to any requests from your organization.
Finally, to make matters worse, you’re dealing with hundreds of terabytes of unstructured data, which may or may not contain PII information. There are no logs of connections or information on who or how many times the data was downloaded or accessed.
Needless to say, your organization is in a bit of a pickle. Given today's aggressive reporting requirements, it takes a large and costly set of systems to process that much unstructured data. Additionally, you have no way of knowing exactly what data and how much of it may have been taken. It may have been five years’ worth of client information or simply six months.
3. Evolved Risk Assessment Practices
While governance and contracts have been lacking in the past, technology and processes to enable the ability to perform good risk assessments is an area that has been evolving rapidly. Programs are becoming effective in their approach and looking for opportunities to scale processes and procedures. Taking it a step further, organizations are implementing steps to get access to external ratings data to support risk-based decisions.
As organizations continue to grow their vendor ecosystems, it isn’t probable to treat each third party with the same level of due-diligence. There is an opportunity for continued growth by adopting a tiering approach on your vendors. Many times organizations look at the information being shared. While this is an acceptable and recommended practice, organizations should also institute the ability to denote between which vendors are sharing critical data vs. non-critical data and what services that third party is providing to the business. In many organizations, the process of looking at SSAE16/18 SOC reports is very common, however, more times than not we have found the SSAE16/18 is not for the same data center(s) where services are rendered.
4. Identification and Response
Last, but not least, is identification and response. Looking back on the scenario listed above, the IR plan was not aligned to the contracts between the two organizations leaving the enterprise in a delicate state. We find that most programs lack the ability to identify or have inadequate contractual documents regarding alerting of incidents with their third parties. In some cases, it is governed by regulation, however, most times it is not leaving some of the fundamentals we have used over the years in a bad position. This can lead to incidents causing major pain points for organizations that rely on third parties for processing or storing of critical data. Your incident management strategy needs to begin laying the foundation for cross collaboration with your internal parties to identify gaps and build a plan to get them under control.
In conclusion, there are some bare facts we know to be true. First, organizations are relying on third parties to help scale their business. Second, breaches are inevitable and with the growth in reliance on third-party relationships, it is likely a breach will be suffered as a result of an entry outside of your direct control. Being adequately prepared to respond to a breach involving a third party requires that organizations plan for this type of event in advance. Organizations need to have contractual language that describes the 'rights' of their organization to investigate specific incidents including granular auditing of the controls the third party has deployed to protect your information.
Managing Security Consultant, Enterprise Incident Management
Jeff Wichman is a managing security consultant in Optiv’s enterprise incident management practice. Jeff’s role is to provide leadership to the enterprise incident management security consultants, technical expertise in digital forensics and incident response programs and processes, and mentoring the Optiv enterprise incident management team.