The third-party attack surface is expanding rapidly, making it challenging for businesses to manage the associated cyber risk. When a company outsources services by sharing data and network access with vendors, it inherits their people, process, technology, and vendor’s third parties’ risks. With an average of nearly 5,900 third parties working with the typical enterprise, companies face a significant amount of risk, regardless of how well they cover their own bases.
The Looming Threat
The amount of data and business-critical information shared with vendors is staggering. For instance, a company might share intellectual property with manufacturing partners, store personal health information (PHI) on cloud servers to share with insurers, and allow marketing agencies access to sensitive customer data. This raises concerns about data security, confidentiality, and integrity.
The Current State of Third-Party Risk Management
Cybersecurity rating services play a significant role in the current cyber risk management ecosystem. These services provide a numerical score or rating that indicates the level of risk associated with a particular vendor. However, relying solely on these ratings can create a false sense of security and mislead businesses into complacency over their actual third-party risk.
The Need for an Inside-Out Focus
Adopting an inside-out focus will give you a holistic, real-time, and quantified way to proactively manage third-party cyber risk. This approach involves assessing the vendor’s people, policy, permissions, technology, and cyber reputation to gain a comprehensive understanding of their overall risk posture.
The Shift to 360-Degree Third-Party Risk Visibility
With insights into every vendor’s cyber risk posture, security teams can prioritize risk by choosing to accept, mitigate, or transfer some or all third-party risk. An inside-out assessment tool can help organizations assess risk in real-time by collecting signals from the extended attack surface through APIs and aggregating them across a vendor’s portfolio.
Initiating a Dialogue with Vendors
When implementing an inside-out approach, it is crucial to initiate a dialogue with vendors and set expectations. Identify concerns on data sharing, conflicts with cybersecurity philosophies, regulatory hurdles, and other challenges. Work with vendors to delineate their own extended attack surface from the vendor’s internal environment.
Getting the Right Tools
Inside-out assessment tools should collect signals from the extended attack surface through APIs, aggregate them across a vendor’s portfolio, and provide security and risk management leaders with a unified and quantitative view of their vendor risk profile. These tools can help organizations assess risk in real-time, prioritize mitigation efforts, and make informed decisions about third-party risk.
Conclusion
The current state of third-party risk management is fragmented and often inaccurate. Relying solely on cybersecurity rating services can create a false sense of security and mislead businesses into complacency over their actual third-party risk. Adopting an inside-out focus will give you a holistic, real-time, and quantified way to proactively manage third-party cyber risk. By initiating a dialogue with vendors, getting the right tools, and implementing an inside-out approach, organizations can gain 360-degree third-party risk visibility and make informed decisions about their vendor relationships.
Recommendations
- Assess Your Third-Party Risk Profile: Conduct a thorough assessment of your existing vendor relationships to identify potential risks and areas for improvement.
- Implement an Inside-Out Approach: Adopt an inside-out focus to gain a comprehensive understanding of each vendor’s risk posture, including people, policy, permissions, technology, and cyber reputation.
- Initiate a Dialogue with Vendors: Engage in open and transparent discussions with vendors to set expectations, identify concerns, and work together to mitigate risks.
- Get the Right Tools: Invest in inside-out assessment tools that can collect signals from the extended attack surface through APIs, aggregate them across a vendor’s portfolio, and provide security and risk management leaders with a unified and quantitative view of their vendor risk profile.
By following these recommendations, organizations can proactively manage third-party cyber risk, improve their overall security posture, and make informed decisions about their vendor relationships.
