103. The Future of Third Party Cyber Risk with Alla Valente
Following the success of our recent webinar, Claire is joined again by Alla Valente. This time they discuss the role of procurement, talk about supply chain risk as an enterprise wide risk and discuss who might own this risk. They covered how businesses are struggling to give third parties limited access to data and systems, and the flow on effects of managing the right level of access to get the job done.
Alla Valente is a senior analyst at Forrester serving security and risk professionals. She covers GRC, third-party risk (TPRM), supply chain risk (SCRM), and contract lifecycle management (CLM) strategy, best practices, and technology. Her research includes coverage of key regulatory compliance issues; risk management, ethics, and trust in digital transformation; and operational resilience. In this role, she helps Forrester clients build and mature a comprehensive programs that maximises business opportunity and performance while minimising risk and protecting the organisation’s brand.
Links:
The Security Collective podcast is proudly brought to you in partnership with LastPass, the leading password manager.
Transcript
Hello, I'm Claire Pales, and welcome to The Security Collective podcast. Today's episode was a little bit special as I recorded it live in person in New York City a few weeks back with Alla Valente. Now her name might be familiar to you if you're a regular listener of the podcast, because Alla joined Vijay Krishnan and I a few episodes back in the live webinar. But because concerns regarding third party risks are ever increasing, I had a few more things I wanted to ask her so when the opportunity came to meet her face to face, I jumped at it. Alla and I dive deeper on the role of procurement, we talked about supply chain risk as an enterprise wide risk. And we also discussed who might own this risk. We covered how businesses are struggling to give third parties limited access to data and systems, and the flow on effects of managing the right level of access to get the job done. A big thanks to those of you who sent me questions on this topic that I could raise in conversation with Alla, it was much appreciated. So please welcome Alla back to the podcast and enjoy our deep dive on third party risk.
CP: So Alla, it is great to have you back on The Security Collective today.
AV: Thank you so much, Claire. It's my pleasure to be here again.
CP: So I want to pick up where we left off from the webinar. What we were able to cover with the webinar was high level advice, really, for organisations around third party and I wanted to dive a little bit deeper today into some of these topics. So we're going cover third party risk again, and GRC. But this time for those that listen to the webinar, going to get a little bit deeper. So I wanted to start by talking about third party risk from an enterprise perspective. And I'm just wondering your take on if you think we're getting to the point where third party risk is becoming an enterprise risk or strategic risk? And is it going on to the risk registers for organisations?
AV: That's a great question. The good news is, we're already there. Third party risk is absolutely both an enterprise risk and a strategic risk. In fact, when I think about enterprise risk today, it's almost this three legged stool. On the one hand, you have all of the risk inside of your enterprise. And that's where organisations have the most control to be able to manage those risks. But then you have this entire ecosystem of partners, vendors, suppliers, counterparties, affiliates, etc. Your own firm's success is dependent on the success of this ecosystem. But it's not just those two factors, because there is a third part to all of this, which is systemic risks. So all of those external forces that are acting, and shaping the world of business, and really just globally influencing businesses as a whole. These are things like geopolitical risk, climate risks, we see rise of values based consumers, we see things like data integrity becoming much more important. So all of these externalities, and your own enterprise risks and your ecosystem risks are something that all organisations need to balance, and you have to keep all three balls in the air at the same time. But when I say that we're already there, organisations are viewing third party risk as an enterprise risk, just not enough of them. Which is a bit coincidental, because when we ask enterprise risk decision makers, what are some of their business goals strategically speaking, and we hear about goals, like we want to be able to leverage data for better decision making, we want to shift to a digital business, we want to enhance our response to changes in the market and in our own business. Well, that's great, except all of those goals require partnership of third parties. So on the one hand, you need and rely on third parties to achieve your goals. On the other hand, when we asked those same folks considering the potential impact to your firm, what are the risks, or what are the primary concerns for risk today, and only 20% said that third party risk was something that they are very concerned about. So we see this type of imbalance there, which is to the second part of your question about risk registers, and they come in all sorts of flavours. There are some more mature organisations that are really looking at what are the top risks that impact their organisation as a whole strategically, from a growth perspective, from a reputational perspective, and maybe they have a list of the top 100 or the top 50. And absolutely third party risk is on that list. And that there are organisations that have this Excel spreadsheet, almost a laundry list of all of these incidents and issues, they call it a risk register, except it's not really that. So you know, I think the bottom line is third party risk is really important. Not enough organisations realise that yet, but for those that do, they're prioritising managing risk in their third party ecosystem.
CP: One of the things that concerns me a lot about these Excel spreadsheets, or even the companies that are using a proper risk management tool is a complete lack of ownership at that enterprise level. So for those that are managing to put it onto a risk register, who would own it at an enterprise level? Some would say it would be procurement, but I think if you give it to procurement that can skew it and probably skew it towards the official supply chain, rather than on this broader enterprise wide third party list of partners or distributors. And in your opinion, is there an enterprise wide owner for supply chain risk?
AV: Well, there's no consistent owner, but what I'll say is that we see that more organisations today have a dedicated team for third party risk. However, risk management of the third party ecosystem is still very much a team effort. So when we think about the third party lifecycle, it touches so many other business areas. You have sourcing and procurement, you have a legal security risk and compliance, you have business owners, and all of them are interacting with these third party relationships. And it's easy to assume that since everyone is playing some sort of role, that they're also doing risk management, which is not the reality. In fact, when multiple teams are responsible, but there isn't any single team that's accountable, governance goes by the wayside, it's inconsistent, sometimes it's non existent. And then there really isn't any accountability for managing risk of third parties. You know, for those organisations that do have third party risk on their risk register as an enterprise risk, those are also the same firms that are dedicating teams and ownership to managing this issue.
CP: And so for the companies that aren't dedicating ownership, and who maybe don't even have this highlighted as a risk, what do you think it's going to take for these organisations to actually put it on the risk register, considering that cyber is potentially a small part of third party risk, as we discussed on the podcast. There's operational risk, reputational risk, regulatory, financial, all of these things that could actually be realised outside of cyber threat through relying on third parties. What will it take for organisations to recognise that third party or supply chain risk is actually an enterprise wide concern?
AV: I would love to say that there will be some sort of event that will make everyone take notice and change their ways. That's not reality. What it will take is some sort of regulation, different countries already have some regulations around third parties. But there isn't anything that's consistent, certainly here in the US, there are certain industries that have more regulation around it, other industries, and not as much. Having that type of federal requirement will ensure that organisations aren't only allocating resources to this, but have dedicated budget and make it a priority from an enterprise risk perspective.
CP: Do you see that in many cases, at the moment, it's only the cyber team that's even considering evaluating the nature of the third party relationships?
AV: Yes. For a lot of organisations, it's cyber, and then maybe there's some sort of screening that happens from the procurement organisation. So for example, perhaps procurement might do some sort of financial viability assessment, they might do a check, maybe a screening of whether the third party is on some sort of sanctions list or something to get them through the procurement into the contracting phase. But then when it comes to provisioning these third parties, they punt it over to information security and say, here you go, we've already selected this vendor supplier, we've already contracted with them, we now need to provision them because every day that goes by, and they don't have access, we're paying for a contract that we're not getting value out of. So let's hurry up and just get this done. Except that's not even being done consistently. Because we see that there are very few organisations, I mean, less than 5% of organisations that are assessing ALL of their third parties. The vast majority are somewhere between about 25 to about 65%. And then we have organisations that say, look, we're only assessing the ones that you tell us are critical, the ones you're asking us to, because maybe it's the size of the contract that makes it impactful. So there's no consistency by which these third parties are vetted. We know that very, very few organisations are actually assessing all of their third parties. And then when it comes to security trying to assess them so they can get on boarded, the volume is so great that most firms are more concerned about getting it done quickly than getting it done right, than having the depth of analysis. And when it comes to continuous monitoring, right, so okay, we've assessed, we've provisioned what happens six months from now, one year from now, two years from now, not enough organisations are continuing to reassess and then monitor any changes in that third party.
CP: I mean, that's a really good point around provisioning, because so many businesses are struggling to give third parties the right level of access to the data they need, and nothing more. There's a lot of trust being placed in third parties to stay in their lane, and increased risk that sensitive data could be exposed to unauthorised people within those third parties. What are your reflections on this because networks can be very open, they can also be put in a position where third parties are provisioned based on profiles that may not necessarily suit what they are there to do. What are your thoughts?
AV: So I have a Forrester colleague who famously says that hope is not a strategy and trust is not a control. Even those organisations that are now starting to adopt a zero trust model for their own enterprise security, don't necessarily apply those same zero trust principles for their third party. So you're absolutely right. You get profiles and these roles that, you know, hopefully, it's a one size fits most, and you have third parties that are getting access to whether it's data or applications that they don't necessarily need in order to execute on that particular contract. But it's not just about giving them access, it's also about having the visibility into are they accessing that data? What are they accessing? How often are they accessing it? The other aspect of this provisioning question is okay, fine you know, you've provisioned this third party, and maybe they're only accessing the areas that they need. But what about security controls, right? Are you continuing to monitor those controls? Can you see whether a control has failed? You know, we're very good at auditing controls annually, in hindsight. And even though there's such a wealth of different technologies that will help you monitor controls in real time, not enough organisations are leveraging that and setting up their own thresholds to say, look, this is what we feel is normal. Anything outside of this is a deviation. We want to be notified when something exceeds that type of deviation. If we were able to monitor usage and monitor controls, then the provisioning question would be, well, it would still be an issue, but it wouldn't cause organisations as many headaches as it does now.
CP: So if we take this up a level and we think about the cybersecurity landscape over the last few years, and think about how many organisations have been very publicly exposed, not just through the media, but literally through the fact that through their cyber incidents, communities have stopped, like if we think about Colonial Pipeline, which just gets wheeled out all the time I know. But Colonial Pipeline, Solar Winds, a huge list, do you think organisations are looking at these recent events and seeing them as an opportunity to get better at cyber risk management? To get better at the things we've just been talking about around better provisioning, better access, but zero trust policies. What are people doing with this information of a learning from other people's misfortune?
AV: Yes and no. There are some organisations that absolutely will use the events that are happening and ask themselves: could this happened to us? And if the answer is yes, they will then start to think about changing their processes, their policies to be able to prevent that risk. And then you have the vast majority that look at these events in the news and say, oh, yes, but that's not in my industry. That's not in my geography we're a different type of business. Oh, well, this one thing that the reporters are saying was the root cause of this one incident, that could never happen to us. And that type of optimism bias it's not helpful, and it could actually be quite dangerous. I like to think of this as the one and 100 year flood, right. You know, the moment there is some sort of very significant event., everyone becomes a statistician. They think that well, if this is a some sort of Black Swan, or if this only happens once in 100 years, then I have a good 99 years before I have to actually think about it! What they're not factoring for is that the events, the circumstances that created that significant event in the first place, are continuing to shape businesses. So for example, if this is an event that was triggered by maybe geopolitical tensions, creating additional cyber threats, that's still continuing to happen. Maybe if we're talking about an event where suppliers, vendors, those are becoming the low hanging fruits, instead of hackers working harder, they're working smarter. And quite honestly, can we blame. Rather than going after a very large organisation that has invested in technologies, has these processes, is monitoring their controls. Instead, they're going to get in by climbing, you know, through a side window, right. They're going to go after their vendors and suppliers, many of them are smaller organisations, they don't have the same controls, they don't have the same technologies, they don't even have the same processes to identify and mitigate third party risk. So those events are continuing to happen. For firms to say it couldn't happen to us, they're not paying attention. All they're doing is dodging bullets. But at some point, all those bullets are going to come from many directions, and they're going to hit their target. There's a reason why we say there are two types of companies, those who have been breached, and those who don't know they've been breached. You know, this is a real opportunity for organisations to just pause, re-evaluate the effectiveness of what they have, and do better. But not enough organisations are taking that opportunity.
CP: So when it comes to taking learnings from what other organisations have been through, it's one thing to reflect could this happen to us? Or, you know, even if it was a slightly different root cause, how would we respond? You know, those types of questions is one thing, but actually applying the learnings from other incidents? How are you seeing organisations do that well?
AV: That's a great question. How are organisations doing that well? Well, I wish I could say that more organisations were doing this well, but the ones who are continuing to be successful in third party risk, they have a few things in common. One is they make third party risk management a priority, not just a risk priority, but a business imperative. They understand that their own success and growth depends on their ability to mitigate risk, especially in the third party ecosystem. They also understand that they need to have a framework and a governance structure. So those are the ones that have dedicated teams that are looking at third party risk management. They invest in multiple tools, there is no one technology that's going to help you manage third party risk. And to your earlier point, Claire, yes, cybersecurity is one area of third party risk. But I mean, there's privacy and there's business continuity, there's operational risk, there's financial risk, there's reputational risk, all of those are part of the broader third party risk management lifecycle. Those organisations that are not stopping at cybersecurity, but going further to evaluate their partners across all of those domains, they're much better at not only identifying potential risks in enough time to be able to do something about them. But they're also able to make adjustments and pivot so that when an event does happen, they can recover quicker. And they're using risk management as a competitive advantage. Because if all of the other competitors in their market, look products these days are highly commoditised. They're similar. They have similar capabilities and features. But when we think about what consumers want, and also what other businesses are looking for, the ability to protect and manage security, it becomes this type of differentiator. So when we think about two competing products, if they're not competing on innovation, and they're not competing on price, then they're definitely competing on their ability to to secure and protect. And third party risk management or risk management in general becomes that competitive advantage.
CP: I want to come back to something you said earlier and sort of anchored a little bit to what you were just saying around, you know, products not necessarily being different. There are some companies out there who use third party assurance services. And what I want to come back to that you said earlier was, you know, doing it quick instead of necessarily doing it right, and many companies are pumping these third party questionnaires through and the teams are suffering through, you know, this compliance process. But in order to get that done, some organisations are relying on third party assurance services, where they can use a previously validated risk assessment. So, one assessment is done, and then it's offered to many companies to say, here's a baseline, is doing that better than not risk assessing a company at all. And I ask because my concern is that every organisation's risk profile is different. Maturity is different, both risk maturity and general organisational maturity. So if you take a stock standard risk assessment that's been done by an organisation and try and apply it to many different businesses, is that enough? And is it better than nothing?
AV: Well, it's absolutely better than nothing. So this almost crowdsourcing approach to vetting third parties is something that's gaining a lot of momentum, and we see it play out in a couple of different ways. One is you have these collectives that are gathering these previously answered questionnaires. And they have this library of question and responses that you can tap into to help feed your own risk assessment questionnaire. Then others are taking it even one step further, where you can hire these organisations to do what they call enhanced due diligence. So if you want a complete third party assessment on a vendor supplier that you believe is very critical, but also probably complex in nature, you could also hire them to do that as a service. And both are gaining momentum in the market, because there is such a large volume of third parties to try and assess. Now let's talk about some of the limitations of doing this type of crowdsourcing, you get responses to questions that were previously asked. And these are standard questionnaires. So whether you're referring to the SIG or a different type of questionnaire, you're limited to just the questions in that questionnaire. And as you rightly pointed out, many organisations have their own questions, their own custom questions that they add on to it. I think what organisations need to understand is that by leveraging these type of collectives, you're not starting a risk assessment from scratch. The responses that are available, they might satisfy 25% of the questions you have, they might even satisfy 50% of the questions that you have. But what companies need to understand is that there's still the other 50% that needs to be answered. Maybe because you have questions that aren't being addressed in those standard questionnaires. Maybe you have follow up questions, because that's what your protocol is. So absolutely, there is value in crowdsourcing this information. It's definitely better than not doing anything, but it's not going to get you 100% of the way there, and there's still work that needs to be done.
CP: I want to wrap up by asking you what the future holds in this space. And you mentioned at the start, third party risk is not going anywhere, because third parties aren't going anywhere. And certainly through the pandemic, we've seen more and more organisations relying on third parties in order to get to market. What's on the horizon? Where is all of this going when it comes to supply chain risk? Is this the new ransomware? Is this where people need to start focusing? Where most organisations have been watching ransomware for two years, is supply chain risk the up and comer that's been coming for a decade or, you know, what do you see as sort of the next phase of this?
AV: Well, third party risk is not going anywhere. And the types of attacks will change, the ways in which hackers will try and infiltrate third parties will continue to evolve. But it's just too lucrative to stop cold turkey. Even if we do get regulations that are somewhat prescriptive that talk about not only what the outcome should be, but also an approach to getting there. We will still see third party breaches, attacks, ransomware, other types of infiltration, hopefully at a much lower rate. So we're never going to be able to get third party risk down to zero. And this is something that organisations are going to have to just continue to manage as part of their enterprise risk management. Hopefully, there'll be some muscle memory that is gained by going through an effective third party risk management process. Hopefully, we can improve our technologies, our visibility, quicker than bad actors are continuing to evolve what they're doing. But this is something that is becoming and will continue to be part of doing business.
CP: Alla a massive thanks to you for joining me again today. And I know that the audience will get a lot from today's conversation and reflect and relate to what we've been talking about. So thank you so much. And thank you also for joining me in person to record The Security Collective. We haven't done this for a couple of years now for obvious reasons that you can't get in front of people. But a very big thanks to you for sharing your wisdom on third party risks with The Security Collective today.
AV: Thank you so much. It was my pleasure.