Lost in Translation: Rediscovering the Importance of Communications in Third-Party Risk Management
Every time a high-profile data breach is pinned on third-party cyber risk, it understandably sends a jolt through IT, risk managers’ and C-Level executives’ offices, as these leaders reflexively worry about whether their data or customers will be compromised in this way, next. From the “BlueLeaks” exposure of law enforcement agencies to T-Mobile’s most recent breach notification and a reported ransomware attack at precision manufacturer Visser, supplier to Boeing, SpaceX and Tesla, the headlines are relentless and can make leaders feel like they could be blindsided with a business or reputational crisis at any moment.
Cybersecurity and compliance professionals frequently look first to security controls and processes, given many businesses’ investments in these layered defenses, which is why data breach response and prevention can tend to have a technology-first theme. We crave machine-driven one-and-done fixes that scale. What vulnerabilities were exploited? Is all our data encrypted? Can we adjust our layered security controls to account for more of our supply chain partners’ activity?
These are all valid questions, but unfortunately the extent of third-party and supply chain exposure makes them all but impossible to conclusively answer across companies at scale. Globalization and the rise of technology forces like APIs, cloud and the Internet of Things (IoT) means third-party relationships are multiplying faster than organizations’ familiar recognition. Today third-parties are more than the traditional overseas distributors, parts suppliers or outsourced billing providers - they are a chatbot someone integrates into their Web site, a handy IP stack added for ease of connectivity in IoT devices or type of hardware that may not itself be a household name, yet is frequently used by a large brand like Zoom to boost their user experience.
Today’s third-party cyber risk issues are more diverse than any one technology tool can realistically mitigate, meaning risk leaders need more levers to measure and manage the challenge. The most overlooked of these levers is basic communication and dialogue. The hard truth is that risk is always inseparable from relationships in business and cuts both ways: Sure, you might assume greater cyber risk from using a third-party’s code in your product - but maybe there is an existential risk of you being late to a pivotal market if you accept the delay of waiting to build your own code (which will have its own vulnerabilities to find and fix). So what is the best course - how do the parties weigh the risk and make a decision? They have to talk about it.
Sometimes we lose sight of the fact that cyber risk is a shared responsibility world. Compliance specs and contract language are necessary and useful, but they cannot make up for any overlooked risks, business impacts or other scenarios organizations may not have taken into consideration. They also cannot claw back files after a breach. If you can justify a partner, supplier or vendor partnership based on a business need, you should be able to speak about the cyber risk issues that may present themselves in that relationship. Here are three recommendations Privva offers to our customers:
Don’t reinvent the wheel
When you talk with business partners about security, resist the urge to invent an entirely new cybersecurity questionnaire or other documentation process for them to fill out and attest to - or else. First, this is likely to be counterproductive because depending on a company’s industry sector there are likely plenty of security assessment and documentation models already available, from authorities like the respected nonprofit Shared Assessments and others. As I have written before, overlooking the proven, peer-reviewed nature of these resources wastes time and other resources no one in this business has to spare.
Just as important - think of your vendors’ perspective: Unless buyers align their redundant questions to an aligned framework of documentation, it leaves vendors in the untenable position of having to spend outsized cycles on answers and attestation about cyber risk issues, instead of execution. A responsible, capable vendor is going to take protecting your data seriously - because their brand, reputation and customers are on the line, too. Engage them this way and make sure you are not talking past each other when it comes to what you expect.
Prioritize the riskiest parties
We have to stop treating all third-party relationships as equal in terms of risk and impact. One reason managing third-party cyber risk can feel like you're spinning your wheels is the mentality that every contractor and partner could expose the crown jewel data of the company - when in reality, only a small handful of your vendors have access to that data in the first place. Put simply, something you license to ship in a product, integrate to your Web site or trust to process payments is far more critical than providers you might rely on to host virtual events or look after your office facilities.
Risk managers will never have enough colleagues, time or budget to oversee all third-party relationships the same way. Use this truth in candid conversations with all divisions of a company entering into third-party relationships - from HR and facilities to IT and sales. Call on them on a recurring basis to restate the business criticality of these vendor relationships and what they think the data protection stakes are, if any. Not only does creating this kind of cross-functional team help everyone in your organization get all third-party exposure visualized and on the same page, it fosters clear accountability and decision-making around risk-tolerance and oversight.
Make it an ongoing conversation
We live in uncharted territory. There are unforeseen geopolitical conflicts, trade issues, pandemics and pending laws all around the world - to say nothing of prolific cybercrime and other adversaries. Every organization and its network of suppliers and partners are trying to keep flying in formation through this uncertainty, every day.
The criticality of certain partners to your business should dictate how frequently you reach out to them on emerging cyber risks surfacing in the midst of all this, and vice versa. Look at the relationships where the shared stakes are greatest, broach these conversations - and challenge the partner to do the same. Sometimes something as simple as an open door policy helps manage issues in the most efficient manner - whatever it takes to have honest dialogue, instead of the haunting assumptions, blind spots or after-the-fact discoveries that too often dominate breach news cycles. Ask partners not only about specific risks they are seeing in their field - but business, transformation and other trends too. If companies are finding ways to rethink and optimize processes, as partners are often privy to, it’s possible these could be ways to harden workflows, shrink the attack surface and derive other cyber risk gains as a benefit.
If you are shouldering both the upside and the risk of third-party partners, you owe it to your organization to maximize that relationship, too. It should be telling which parties are receptive to this and go all-in on honest dialogue. Seek out and prefer those parties welcoming this, because you cannot have productive relationships without communication and strong relationships tend to have cultures of organization and shared responsibility around cyber risk.