In the movie ‘After Earth’, Will Smith asks his son Kitai to “take a knee” whenever he is out of ideas during a crisis. This ‘forced break’ amidst commotion provided the mental clarity and logical rebooting that Kitai needed, so that he could overcome challenges and obstacles and push his abilities. The current COVID-19 pandemic has forced the entire planet to “take a knee’. Organizations have been compelled to pause, take a mental break, and utilize this opportunity to ideate and formulate the right strategy to propel them ahead when the horizon becomes clear. Managing cybersecurity risks in the vendor ecosystem is one such strategy that can be employed to increase productivity, optimize contracts and assets, and enhance customer trust, to gain a competitive advantage.

Businesses have realized the importance of suppliers, and the impact that non-availability of critical and urgent products and services can have on their top-line, brand image and employee satisfaction. Considering the rise of cybersecurity threats and attacks banking on the Coronavirus, the security and availability of the third-party ecosystem cannot be taken lightly. Enterprises need to consider third-party risk management as one of the top priorities of their cybersecurity program, because customers do not regard the enterprise as a separate entity from its third parties. The investments in vendor security risk management should be a business enabler.

Key considerations to revamp third-party risk management capabilities and gain the most out of the program are listed below:

Conducting Diagnosis and Capability Assessment

An in-depth diagnosis of ‘As-is’ third-party risk management capability of the organization will identify the scope of improvements in people, process, and technology to augment the maturity of the third-party risk management program. Such an assessment can provide insights into queries like:

• Does the third-party risk management framework cover all vendors for security risks and vendor risk-profiling leads to effective and timely risk remediation measures?
• Are KPIs defined, monitored, analyzed, and tracked across vendor lifecycle management? 
• Is the program aligned to ISO 20243, NIST 800-161, ISO 28002, COBIT 2019, ISO 27001 and other best practices?
• How effective is the third-party risk governance structure and vendor relationship management?
• Is the third-party risk management program formalized and is the foundation ready for automation using a third-party risk intelligent solution?

Closure of the gaps identified from such a maturity assessment will lead to optimization of cost, standardization of efforts, flexibility, and improvement of performance.

Establishing a vendor data map

There are no regulations that mandate creating a vendor data map, unlike what GDPR prescribes for personally identified/identifiable information. To evaluate the security posture or risk of vendor relationships, organizations need to know how many third parties they have, who the third parties are and the relationship of the vendors to organizational functions, assets, and processes. It presents a challenging situation for CISO to receive notifications from an unknown third party that they experienced a breach affecting the enterprise! A dynamic supplier information database can act as a single source of all suppliers within the organization. It can have linkage with procurement, business continuity, risk and compliance, and privacy office and business lines.

Creating a better experience for vendors participating in the assessment process

Vendors are inundated with security questions from multiple organizations consuming or going to consume their products and services. In responding to the assessment questions, probability for human error increases and the response review cycle takes more time and effort.

•  The list of questions to be shared for the vendors to respond can be minimized considering the applicability of questions for the vendor type, business criticality of the vendor and automation.
• An interactive session with each third party detailing their roles, expectations and purpose from the risk assessments can set the context and make the assessment process efficient.
• A mechanism can be developed where organizations can leverage responses to a common set of risk assessment questions from a vendor and tailor their individual assessment accordingly.

Adopting Zero trust model for third-party security

In 2013, why did the HVAC vendor of the breached retail organization have access to the retailer’s billing and project management systems? Provisioning access of third-party personnel to organizational applications and data on a need-to-know and least privilege principle lays the foundation of zero-trust strategy. These privileges should be granted post approval from both business and the CISO office. Access granted should be monitored and immediately decommissioned on change of vendor personnel role or end of contract.

Real-time monitoring of vendor risk

Point-in-time risk assessments no longer provide the right information for an effective TPRM. A vendor triage process determines the frequency and rigour of the vendor security assessment questionnaire. Instead of determining a snapshot of the vendor security posture annually, organizations are shifting to technology enabling real-time monitoring and treatment of risks such as unsafe authentication mechanisms, vulnerable applications, exposed sensitive data and potential phishing and Denial-of-Service threats across their high-, medium- and low-risk vendor ecosystems. Near real-time identification of a geo-political risk or data leakage alert impacting vendors can shorten the path to mitigate risk and assist in effective decision-making.

Automating the third-party risk management process

A solution that provisions the vendor database and automates end-to-end workflow for assessing and managing third-party risk over the lifecycle of their relationship can be a good investment choice. Such third-party risk assessment solutions have the capability to incorporate supplier security insights from external security score providers and ingest feeds from independent external sources to analyze disparate sources of threat and risk scores using AI and ML. Dashboards and reports can provide visibility into vendor performance trends, open issues and risk across the vendor ecosystem, thereby enabling faster risk-informed decision-making.

This pandemic will create opportunities for organizations “taking a knee” to ideate and formulate the right third-party risk management strategy. Organizations will take progressive steps for a consolidated, leaner, efficient and effective third-party risk management system, considering these changes brought on by the current COVID-19 scenario:

• Onsite third-party assessments will be replaced completely by telephonic and video conferences
• Several new vendors will be onboarded and subjected to inherent risk assessments
• Contracts with existing vendors will be revised for stringent business resilience and cybersecurity clauses, secure working from home arrangement and clause for remote tool-based auditing
• Revision of existing TPRM framework and automation of TPRM supporting multiple languages and global vendor ecosystem
• Instead of having a large internal pool of security experts, organizations will consider outsourcing third-party risk assessments to firms proficient in cybersecurity and risk, and those having a diversified cybersecurity talent pool across the globe.

Bhaskar Maheshwari is an industry-recognized cybersecurity consulting professional. For the last 13 years, he has been delivering business value to multiple clients across the globe in the fields of cybersecurity, risk & compliance, data privacy, and business resiliency. Bhaskar is part of Wipro’s Cybersecurity Consulting & Advisory Practice.

Bhaskar has an MBA and a Bachelor of Engineering degree in addition to being a TOGAF 9, CISA, CISM, MBCI, ITIL Expert, BS25999LA, CPISI, COBIT F, CBCI, PMP and CPEGP professional.