The SolarWinds hack is a strong reminder why third-party risk management is so important. Not only was SolarWinds breached, but the hack is now believed to have affected upward of 250 federal agencies and businesses.
Here, we speak to Jonathan Ehret, Vice President of Strategy & Risk at RiskRecon, who believes organizations should be asking their vendors about the third-party risk management and cybersecurity policies they have in place to protect against a breach and leak of critical data.
Security: What is your background and current role?
Ehret: I am currently Vice President of Strategy & Risk at RiskRecon. RiskRecon provides cybersecurity ratings and insights that make it easy for enterprises to understand and act on their third-party cyber risks. Prior to coming RiskRecon, I was a 16-year practitioner in the Third-Party Risk Management (TPRM) and audit space. That time included significant stints with the TPRM programs of two major international banks. Most recently I built and ran the TPRM function for one of the BlueCross BlueShield companies. At the same time, I was also President and Co-founder of the Third Party Risk Association, a non-profit professional association of third-party risk practitioners and vendors.
Security: What are some of the current challenges in trends in the third-party risk management space?
Ehret: The current challenges in third-party risk are largely the challenges that have existed for some time. Teams are understaffed for the most part and are asked to tackle an ever-expanding universe of vendors. We talked with 150+ programs in 2020 and 87% of them felt that at some point, they were not staffed to adequately address the volume of new reviews and episodic re-assessments. Organizations have spent millions of dollars and countless FTEs securing internal networks, but then are giving the same data they are protecting internally to countless vendors with little to no idea of the security controls in place to protect that data.
Security: How did the SolarWinds attack raise awareness of the need for third-party cybersecurity from the board down?
Ehret: I think the SolarWinds attack forced organizations to re-think the scope of their third-party risk programs. For the most part before, programs largely were concerned with data that was being shared with third parties. SolarWinds changed the paradigm by forcing us to take the trust but verify mentality and apply it to the software running on-prem, particularly for software that might run with elevated privileges. The fact that it was a major national news story for several weeks helped highlight, for all levels of business leadership, the need for comprehensive and current understanding of the security postures of companies they do business with.
Security: What are some tips on what security teams can do to take control of TPRM cybersecurity (for beginners) or strengthen their program (for experienced teams)?
Ehret: My tip for programs just starting out is to not get discouraged. You are likely trying to shoe-horn a TPRM process into an existing procurement process that never knew it needed you. And that is going to slow things down. I always said my role in building out a TPRM program was 50% security-related and 50% salesman. And once you get the cooperation in place for you to get moving, never stop looking for vendors. Even with a robust vendor management program feeding vendors to you, you will always find vendors (paid and free) that nobody knows about.
For the mature teams, my suggestion would be to not stop at the yearly security questionnaire and the evidence that comes along with it. While that is no doubt a valuable piece of the TPRM process, if you want to build a mature program build it like a Swiss Army knife. In addition to the questionnaire, utilize tools like continuous monitoring products to build more comprehensive view of your vendor's posture at any given time. While questionnaires have their place, they are only point in time views into your vendor, a view in which the vendor can highly shape the perception of reality. Having additional tools in your Swiss Army knife can also be useful in situations where one tool may not be available to you, such as when you have an uncooperative vendor that will not respond to questionnaires or provide other attestations.
And for both groups, get involved. Network with your peers and learn from there. Likewise, share your experiences and help others improve their programs. At the end of the day, many of us are using common vendors. So it is in the best interests of everyone involved for our vendors to be as secure as possible. It is very much a “rising tide raises all ships” scenario.
Security: Could the pandemic have impacted and caused serious missteps as it relates to third-party risk and meeting proper compliance/governance requirements?
Ehret: Absolutely. As with all aspects of daily life, the pandemic had a profound impact on the world of third-party risk. Organizations were forced to take on new levels of risk that perhaps they previously were not comfortable with just to keep operations moving.
For instance, many companies utilizing vendors offshore had specific requirements in place around the security of the workplace. In many cases, this meant secured office space, no cell phones, etc. When quarantines hit, and offshore staff could no longer get to the secured office spaces, organizations were forced to decide if they wanted to continue using that vendor without the previously agreed upon controls in place.
As the world's workforce moved remote, organizations that did not have remote access solutions in place were forced to implement one quickly. In some cases, the solutions that were implemented were less ideal from a security standpoint. These "leaky" remote access solutions now present the possibility that data you previously knew to be secure in their datacenter now has the potential to be resident on someone's home PC.
Security: Could you provide tips on how to ensure that the changes that were made as a result of the COVID-19 pandemic will not negatively impact the security posture of many organizations?
Ehret: I believe it is important for TPRM teams to not simply move forward and hope to catch any changes in the next episodic reassessment. Rather organizations should take stock of the new vendors that maybe did not get the proper level of due diligence in 2020 and make sure that they are assessed properly this year. For low-risk vendors that perhaps are not up for reassessment for another year or two, consider sending a much smaller assessment that might focus on things like remote access. On top of that, rely on the tools that you may have at your disposal, like your continuous monitoring platform, to help you identify vendors that might now be having some security challenges and add those to your review plan this year if they are not already a part of it.