Defining value in Third-Party Security is often challenging for security leaders, but it does not mean that it is not there.
On a daily basis, I am speaking to CIO’s, CISO’s, and 3rd Party Security Managers who are having a hard time articulating whether the output of their third-party security investment is delivering the necessary value to justify its increasing investment. Because third-party security controls do not prevent threats directly, they are hard for some executives to articulate their value. In many cases, programs are able to meet regulatory requirements (which is highly valuable), but have a hard time showing the same value as other security investments like firewalls and intrusion prevention. I do not want to sound negative, but most programs will never provide the level of return desired because they are looked at as a “necessary evil” instead of as a differentiator and business enabler. The key is to offer a maturity roadmap and identify how program improvements reduce risk and improve the business effectively.
The broader question is whether the business is seeing a commensurate reduction in cyber risk across the ecosystem based on its efforts? To answer this question, you need to think about the maturity of the third-party security program, the ability to clearly identify risk, the reduction of risk to the organization based on the third-party security activities, and the use and type of techniques against the cost of these efforts.
Finding and defining ROI for security is generally difficult since the outcome of a successful program is that “nothing happens”. Therefore, we need to look not only at breach metrics and classic security metrics, but also at the maturity of the program and other metrics that help to underscore the risk identification; and improvements to the extended enterprise’s security posture. Understanding the best practices that define a strong third-party security program and benchmarking your organization to your peers is critical to identifying the value equation. If you are not seeing value, you need to isolate whether this is a program related issue or if there are other factors creating this pressure.
Historically, there has not been an excellent barometer to understand the maturity of third-party security programs. There have been some vendor studies, but benchmarking has been difficult. Most of the current studies seem to point to stronger relative maturity in the financial services industry as well as life sciences, but when I speak to the leaders of programs in these communities I often find similar challenges to supposedly less mature industries.
KPMG has recently launched a third-party program assessment and benchmarking service based on a tool called the KPMG Third-party Security Client Program Navigator. This tool was developed utilizing content and maturity models from the Shared Assessment Vendor Risk Management Maturity Model (VRMMM), as well as NIST and ISO. It wraps benchmarking data that is collected in the course of assessments as well as insights and recommendations. The intent of the Navigator is to quickly understand an organization's current third-party security maturity against peer organizations, as well as to provide recommendations to improve that maturity. I see this as a first step to bridging the value divide.
Once you understand the areas that are creating pressure in the program you can start to attack the lower maturity areas. In general, the major challenges facing 3rd party security programs are related to vendor identification, scoping, data collection, organizational authority, training, and resourcing. More mature programs often see better outcomes from their business, are able to show reductions in risk, and are generally meeting the needs of clients, business stakeholders, auditors, and regulators more than less mature programs – and providing better value!
In the next several blogs, we will look to dig into some of these and other challenges in more depth. We will look at the value of assessments, monitoring, automation, and how to bring these areas together to deliver on the future of 3rd party security.