CISOs have a diverse array of rapidly evolving priorities, threats, demands, regulatory pressures, and technology changes to address. Leaders need a structured approach to today’s security and risk landscape covering third-party risk. This blog sheds light on fundamental steps, trends, priorities, and actions from a Third Party Risk Management (TPRM) standpoint. Managing the risk inherent in using third-party providers has never been more concerning and important.
Concurrence on the crucial imperatives in your cybersecurity program. Examples:
- Centralizing oversight on third-party risk to decentralize risk decisions. Risk decisions should be best handled with the more risk-averse than risk-tolerant security leadership and not the business heads alone
- The risks and opportunities inherent in AI from Third Party AI Technologies. Organizations are inquisitively exploring and using AI tools without knowing the length and breadth of the ramifications. Being ahead in the race to adopt and use AI, Business decisions can sometimes lead to non-compliance with internal security and privacy standards which should be a red flag. Having said, it’s easier said than done to develop best practices and recommendations in this environment
- Security challenges associated with human behavor Act cohesively realizing minor slips can lead to process disruptions causing delays. Business can sometime make ad-hoc decisions without looping TPRM, Procurement can initiate onboarding without notifying TPRM, Legal can execute contracts assuiming standard contractual language without seeking inputs from TPRM, Legal can extend or terminate contracts as per business requirements without following the offboarding procedures and not looping TPRM
Strategic security vision should reflect the above imperatives as part of the security program
Understand where the organization stands (perceived vs existing to manage third-party risk (maturity level) which will sometimes reveal eye-opening and overwhelming information
TPRM strategy and roadmap should be updated to ensure necessary actions are woven into the overall security program. Understand organization priorities by engaging with all stakeholders to derive feasible, pragmatic, and outcome-oriented actions that make their way into the roadmap
By 2027, 75% of employees will acquire, modify, or create technology outside IT’s visibility – Gartner.
Key trends impacting security & risk management leaders
Changes to cybersecurity decision rights – With the continued surge in the adoption of cloud solutions and emerging tech, organizations should focus on creating or fine-tuning existing processes that give an overall visibility of technology introduced by non-IT functions and business units. A stringent process supported by the top management definitely will set expectations from all stakeholders to adhere to and comply with the strategic decision. Stakeholder visibility becomes crucial to address non-compliance and exceptions.
The security challenges of AI – Although many organizations have adopted AI technologies but still lack an internal framework and standard to streamline the adoption and use of AI technologies. Specific AI requirements should be a part of the minimum baseline security standards (MBSS)
Missing holistic focus on security – In a Gartner survey, 93% of respondents acknowledged that they knew their actions would increase the cybersecurity risks to their organization and they did it anyway. (This lack of practicing security in all the actions and processes by third parties will cost an organization dearly leading to loss of reputation, availability of services, and regulatory fines.) In fact, according to Verizon’s Data Breach Investigations report, 74% of all security breaches included a human element. Even so, and despite security programs focused on end users, most errors leading to a data breach were committed by developers and system admins. These statistics throw light on the gaps in the way security and privacy are enforced and monitored, definitely food for thought. Organizations need to design a program that is flexible to accommodate requirements according to the changing trends of user behavior.
Chart out respective actions
Understand today’s TPRM operating model – Identify the TPRM operating model in your organization – Centralized, De-centralized and hybrid. Key imperatives have profound implications for each building block of the TPRM program, for example:
- Financial – The provisioning of a sufficient budget to facilitate required technology and skilled resources plays a crucial role in seamlessly managing the varying needs of the TPRM program.
- Org reporting – TPRM as a function should have access to the CISO and in some cases (based on the nature of business) to the board enabling top management to make risk-informed decisions and have oversight on the TPRM program.
- Metrics – Statistics derived by implementing KPIs and KRIs to track performance and enable monitoring help in deriving business outcome-driven metrics. Tracking the trends gives insights into ongoing performance and can be a valuable input to strategic forecasting.
- Baseline – Compiling a list of technical, logical, and organizational security controls to create a customized baseline is extremely effective in tiering of third parties and
- Human resources – Understanding the risk implications of legacy, new, and emerging technologies demands constant upskilling so risks (criticality and severity) are identified and addressed. A high degree of interpersonal skills is a must to transform security culture, and behavior and translate technical jargon into business language.
Recognize the impact of emerging technologies and shadow Artificial Intelligence (AI) – New and emerging technologies such as Generative Artificial Intelligence, AI-facilitated healthcare, sustainable technology, Intelligent applications, augmented workforce, Continuous Threat Exposure Management, Internet of Things (IoT), etc., and their security and privacy impact should be factored into the overall TPRM program. These technologies have unique security and privacy requirements that are generally not fulfilled by legacy security controls. These technologies have an expanded attack surface that requires adjustments to existing application security practices. Organizations should learn to defend against emerging attack techniques or even reduce costs.
Evaluate the skill level of the team members, evaluate if the TPRM program can be flexible or scalable enough to handle the sudden surge of vendor rush, identify resources that can be repurposed during exigencies, support from external teams or consultants, and inventorize the shadow AI technologies being used by the stakeholders that are not in the purview of IT and security.
Stakeholder involvement and culture change – All efforts towards spreading awareness and changing security behavior must focus on all stakeholders in the lifecycle of the Third Party Risk Management (TPRM) program. All roles in different capacities that are part of the program should be involved in the program and not just the end users. This objective begins at the top, as leadership is instrumental in driving this behavior and culture change. All the teams involved in the TPRM program, Procurement who front ends third-party onboarding, Legal who works with multiple stakeholders on the contracts, Business units and corporate functions who initiate third-party onboarding, and other functions such as Healthcare, IT, security, life sciences, etc.
