Insight

The changing third-party ecosystem

Defining a new approach towards third-party security

Jonathan Dambrot

Jonathan Dambrot

Principal, Cyber Security Services, KPMG U.S.

+1 908-361-6438

The term ”ecosystem” gets thrown around a lot. While one definition of an ecosystem is 'any system or network of interconnected parts'. It can cover any system, provider, network component, container, cloud service, SaaS software, IoT, OT, consultant, developer and any other interconnected part to deliver goods and services.

The new ecosystem changes the way we need to think about innovation, threats and mitigations.

At one level, organizations’ partner ecosystems uniquely support their mission. However, from a macro view, these ecosystems start to converge as the entire system is built on the same foundational elements. The focus here will be on the micro-ecosystem of suppliers, partners and affiliates that define an extended enterprise — the unique combination of third-parties, partners and affiliates used to support a business and introduce specific opportunities and risks.

These ecosystems are growing in importance for CEOs across the globe, particularly since the pandemic. The recent KPMG 2020 CEO Outlook: COVID-19 Special Edition, reported that supply chain risk has risen into the top two for organizational growth risks. The new reality has made us all realize our reliance on complex ecosystems to meet customer demands. With that realization comes the pressure to embed resilience while still being able to ‘offer the agility to pivot to new opportunities.’ New techniques are becoming necessary to address these challenges and the need to build relationships and trust in a very different business environment.

Historically, organizations could "touch" their infrastructure, "built" their software, and could even talk to the teams working on the systems. Organizations felt some level of control, and had a sense they could direct a teams' work and potentially those of their suppliers. As business needs required faster innovation and lower costs, leaders started outsourcing "non-core" business functions, including infrastructure management, software development and systems hosting.

More recently, the core of business function has largely become focused on excluding everything but strategy, design and sales. Most everything else has been outsourced or moved to digital infrastructures. These new digitally enabled, open innovation models create abstraction levels that make it more challenging to understand and manage the third-party ecosystems supporting the business.

In the past, these relationships were managed via contracts, and companies were able to differentiate one relationship from another. As many have outsourced their infrastructure to the cloud or other providers and started using open source, open innovation and other shared software delivered infrastructure components — it has become unclear where one relationship starts and another ends.

The threats and risks in this model are also significantly different. One supplier's impacts on those clients upstream and downstream can now mean a loss of service, integrity or data. These data supply chain dependencies mean we need to aggressively understand connectivity, data sharing and the overall relationship with partners in the ecosystem. It also means organizations need to consider how to better understand the level of data sharing between business owners and the suppliers used in their work performance. KPMG professionals (and regulators) are now having more conversations about the 4th party and concentration risk due to these realities. Findings from KPMG Third-Party Risk Management Outlook 2020 highlight that 72 percent of businesses indicate they urgently need to improve how they assess 4th parties.

To keep up, the assessment technology, techniques and frequency also need to change. Point-in-time assessments and annual monitoring are suitable for controls that don’t change regularly (like individual policies) but aren’t sufficient for security controls in the new digital ecosystems changing daily. To keep pace, organizations need to consider innovations using advanced machine learning and AI models that can more rapidly adjust and learn how the ecosystem performs. This learning can help determine whether digital services meet client demands and understand digital supply chain threats before impacting our production ecosystem.

Methodologies that can better scope assessments, provide more continuous data and monitor those controls that are critical to the proper functioning of the service should also be considered. However, our Third-Party Risk Management Outlook 2020 reported that only 26 percent of businesses believe they have all the data to carry out the assessments required. Also, 37 percent indicate that technical barriers, such as incompatible systems, were the main obstacles to preventing third party data sharing across the enterprise. The new third-party risk assessment model requires new technologies that can ingest, process and learn from internal and vendor data and systems. Until the ecosystem starts to build security visibility, remediation and resiliency into our open innovation model itself, it won't be easy to move at a speed necessary to solve these challenges. Fortunately, innovations in continuous controls monitoring and threat intelligence have opened new doorways for businesses to address these challenges.

This new ecosystem driven cyber environment will likely require improved legal and regulatory frameworks that reduce the agency considerations that often lead to lower visibility and increased liability. Several federal governments have started to break down silos that have hindered speed in cyber adoption and visibility. Building machine readability, shareability and risk driven models into our assessments are also beginning to help here. Organizations should look to some of these models commercially and enable better ecosystem frameworks to support interoperability, reduced liability and lower regulatory hurdles to meet security objectives.

The traditional approaches to third party assurance are no longer fit for purpose in the new ecosystem. Thinking should evolve to match today’s fast-paced and interdependent world.