The BTN was recently delighted to partner again with RiskRecon, a Mastercard Company, for an exclusive roundtable, specialising in risk assessment automation and cyber risk management, to discuss ‘The Business Case for Situational Awareness in Your Supply Chain’.
The session looked at what can we be doing to increase the visibility of supply chain threats? How do we determine and identify risky vendors in our ecosystem? And where do we start when building an action-oriented 3rd party risk program?
It’s no longer acceptable to assume that the third and fourth parties your business depends on are operating securely. Even if they’ve given you the answers you were looking for in an assessment or survey, can you trust those responses? Whether it’s a vulnerability in a widely used platform or an exposure through an open-source tool, supply chain security incidents have made headlines around the globe – how can you stay ahead of supply chain threats?
The Conversation was led by the incredible Jonathan Ehret (Vice President, Strategy and Risk at RiskRecon, A Mastercard Company) and Brett Halper (Regional Sales Director at RiskRecon, A Mastercard Company), which was an open and interactive conversation bringing about the following takeaways:
No questionnaire and no tool will tell you everything
Many organisations use security questionnaires to validate an organisation’s security practices before choosing to do business with that organization. Jonathan opened the conversation by asking how many people rely on security questionnaires, in which many answered yes. Jonathan stated that 84% of organisations use a security questionnaire within their programme. So how would you start if you were going to build a third-party risk programme? It was mentioned that inventory is where organisations need to start. Once organisations have this, they can then move on to finding all the contracts and lawyers to check everything over as they could be at risk with something they don’t even know about. The point was raised that, it depends on what kind of agreement an organisation may have with them. Here, two types of agreement were found. One is the enterprise agreement that they always try and steer you into, and the other is where they have the free agreement where anyone in your company can click and start sending surveys. Microsoft, for example, has a framework called ‘Zero Trust’ which has 9 steps and a whitelisted policy that you can implement in your DevOps practice to whitelist your third party liability. It is important that organisations look at the policies that are currently existing in their space.
When it comes to onboarding a new vendor, it is important to consider what kind of questions you would need to ask in order to categorise them. So how do we know what kind of questions to ask? Do we ask about the volumes of data that they would access, the type of data they process, would they be using any other third parties, or would they be sending the data out to other geographies for processing? There are many different types of questions that need to be taken into consideration. On the basis of that, organisations need to ensure they have the inventory along with categories for the existing vendors. There is no one standard questionnaire that organisations send to critical vendors. Have a process where it clearly defines how you onboard a vendor, how you categorise them, what type of questionnaire goes to whom, and whether there is an onsite assessment that you would conduct. All of this should be going on third-party risk management policies and standards. This is something that people need to think about when it comes to starting and building a third-party risk programme. No questionnaire and no tool will tell you everything.
In certain situations, there are certain controls that the company will own, for example, access management. If you end up proceeding going live with the vendor, you have already taken care of access management for that vendor’s products, so the buzzword would be ‘shifting left, right’ and viewing your vendor risk management programme as your supply chain pipeline. Once you figure out what particular controls or programs can happen parallel to your vendor onboarding programme, then implement the controls before going live.
However, it is important to know what to do when there is a start-up or something that does not have the ability to protect the data the way you want it to or to implement the controls. So what can you do? It was noted that there is a certain classification of data that organisations can use to do a proof of concept so that there is no Personal Identifiable Information (PII) or sensitive information. Organisations can do a trial run with the data for a period of time so there are boundaries with what they can do depending on the nature of the data. Many final businesses want to move to the cloud, but a lot of security will not allow this as it’s their responsibility to ensure certain compliances are met, therefore using the moc data is key. Having fake data is good risk mitigation.
What can give you enough visibility into your supply chain to really have situational awareness of what is going on?
It has been noted that when an organisation take a framework like Payment Card Industry (PCI) and they want to try and claim all sorts of exemptions, that’s when it starts to get you raising questions. There are a few key questions organisations need to consider. What is this going to touch in your environment? How is it going to change anything in your environment? And most importantly, what kind of controls do you have to set up to minimise any potential changes? It is KEY that organisations can ‘look under the hood, so if the vendor says no, then you should not connect. For example, taking the example of a car, it’s like taking your car to the mechanic to get your yearly inspection, but when the check engine light comes on in the middle of the year, the inspection does nothing to help you.
The point was raised that, “compliance is not security, if you want security, you need to get that one step closer”. There is a real value in an organisation that wants to know how they look to other people. There isn’t any vendor that wants to open up to the common enough in the Continuous integration/continuous delivery (CI/CD) pipeline and how they are releasing updates. This can be a giant risk and internal flaw that none of their customers knew about. If organisations are able to look at a security scorecard for that vendor and bring it together, it can provide them with some level of comfort. So should you use questionnaires? The answer is yes, but when using the questionnaire, do you believe you are where you would like to be in terms of gauging the risk in using that vendor? The consensus was that you need to ensure you have more confidence whether that be remote assessments, onsite assessments or security scorecards to tie this up.
However, it was stated that although questionnaires are necessary and can give them a sense of where the vendors believe they are, the evidence will not die back, there will always be some gaps they identify. If organisations are able to bring all of this together, then that can give them some sort of comfort.
How to tackle fourth-party risk
The assessment work is performed by the contractors, especially because depending on how you build out your programmes, some may need to be assessed every year depending on how you structure it. The staff would serve as risk managers, the assessors would be outsourced.
One of the advantages that a large multinational organisational would have is that they would have member phones across the globe. This creates this specialised pillar called ‘third party risk’ so creating that skillset and that experience across the globe. 87% of people said that at some point during the year, they were completely understaffed of keeping up with third party work and therefore it’s essential to work smarter, not harder.
When it comes to looking at fourth party risk, some companies look at a consumer service that is tied to the application that the business runs. This is where they check on the Application Programme Interface (API). You are responsible. How you work your vendor and partner agreement is important. There are many layers you need to peel back as the customer expects you to be responsible.
Some organisations look at adding value outside of the traditional ways of assessing vendors and with the data they have access to. For example, it was mentioned that one of the represented organisations implemented a solution that was unique, which is known as ‘Third-party vendor performance evaluation’. As part of this process, they did not go back to the vendor and ask questions to evaluate their risk. Instead of this, they went back to the business and asked how they would rate their vendor on security, quality and on cost.
It is important that organisations are able to treat a strategic partner like any other outside third party vendor. Organisations need to be strict and ensure they do not go into a partnership now knowing whom they are doing business with. Therefore, it is vital that organisations are creative with their data.
About RiskRecon, a Mastercard Company
RiskRecon, a Mastercard Company, enables you to easily achieve better risk outcomes for your enterprise and your supply chain. RiskRecon’s cybersecurity ratings and assessments make it easy for you to understand and act on your risks, delivering accurate, risk prioritized action plans custom-tuned to match your risk priorities.
As a leading provider of cybersecurity ratings, RiskRecon continuously monitors the cybersecurity risk of over 15 million companies across even the most highly regulated industries from finance and insurance to aerospace and healthcare. RiskRecon provides deep, risk-contextualized, data-driven insights into the security risk performance across a customer’s entire ecosystem and helps pinpoint specific gaps in any organization’s security programs and performance. With a 99.1% accuracy rating of its data, as certified by a third-party, customers can confidently rely on RiskRecon’s data-driven insights.
Customers that leverage RiskRecon’s platform can transform traditional, manual methods of managing cyber risk into automated and streamlined processes – enabling them to build a highly efficient, scalable third-party risk management program. According to findings of the 2021 Total Economic Impact study conducted by Forrester Research, organizations using RiskRecon realize an average ROI of 147% over a three-year period.
