Historically, self-assessment questionnaires and on-site assessments have been the primary vehicles for identifying 3rd party security risks. This blog will not debate the value of these assessments, but rather why organizations often fail to realize the value of assessments based on internal and external factors, as well as considerations to help mitigate this reality.
The process often starts with an inherent risk questionnaire to determine what services the vendor is providing, figuring out what type of sensitive data access is required, and whether there are any other significant risks. The inherent risk calculation then determines what tier the vendor falls within and what subsequent method of assessment will be used to determine the actual security risks posed by the 3rd party.
I would argue that assessments should be performed across the entire vendor population in order to provide better visibility to protect the organization. However, 3rd parties are often classified, and only high-risk 3rd parties assessed. This has become "best practice" but creates an assessment value paradox. Low-risk vendors are either never assessed or looked at in the future. This tends to happen because of budget constraints, compliance requirements, and the belief that the lower-tier vendors pose an insignificant risk. However, the dynamics of modern business models and data requirements are changing the pace at which low-risk vendors are moving to higher risk tiers creating higher risk without the necessary visibility. Certainly, some businesses will never provide significant risk. Still, business owners are apt to look at existing vendors for additional services and generally will not consider their current tier as a gate for further business.
Also, business owners often underestimate the impact of brand and reputational risks that might get tied to a particular relationship when a security issue arises. Proof of Concepts (POCs) and new development models often start with small projects and lead to significantly larger data access once minimal viable products (MVP) or POC outcomes are met. Often, a reassessment does not occur before moving to the next stage in the project. In these situations, generally, much less is known about the 3rd party's ability to meet the more rigorous security requirements of other tiers. Additionally, they may not have the financial strength, resilience, or scale to meet the organization's needs long term.
We should consider three opportunities to address the assessment value paradox. First, the cost of an assessment must be low enough to justify assessments across the entire population, including those vendors providing free services. Second, we need to determine a model to monitor changes in vendor tiers more dynamically. And third, we need to change the dynamics of vendor use or contracting to deal with tiering drift.
Several issues drive assessment cost up, including requirements for trained and specialized resources, vendor non-compliance, collection time, lack of standardization, and a lack of automation. Although significant investments have been made to reduce these costs, we are still a long way from ubiquitous assessment at an acceptable price for all businesses. However, the use of utility services, AI support models, and continued industry standardization leads the way forward. Examples of these include CyberGRX, KY3P, and Shared Assessments.
Understanding when changes are leading a vendor to cross a tier threshold is generally tricky. It requires either business owners to self-report changes in data access, user access, or scope changes; or tracking mechanisms that allow the security organization to understand whether these changes have occurred based on automation. There are some examples where both of these models have been implemented, but this is far from universal. The move to the cloud and the use of cloud services creates pressure on this already stressful situation. However, as Cloud Access Security Brokers (CASB) and cloud identity providers continue to include data loss prevention (DLP) solutions, it should become easier and more cost-effective to understand changes in data access and use. Allowing monitoring of these changes by the 3rd party security team will help better align these risks.
Lastly, changing the way contracting is done can help mitigate vendor tier drift and underassessment. Grouping engagements and gating data access based on the assessment tier could reduce some of the current challenges. There is also a trend toward vendor rationalization that could help support fewer lower-tier vendors, generally pushing more data to fewer numbers of providers. As long as this does not increase concentration risk to unacceptable levels, these can have a good impact. The downside of these efforts is that innovation often comes from small, nimble firms that experiment but may not have the appropriate controls. Putting additional limitations could reduce data risk but create competitive challenges. There needs to be a balance across these risk and business considerations. As long as they are understood and accounted for, security can help enable better business and competitive vendor selection and access.
The 3rd party assessment value paradox can create situations in which organizations do not fully realize their 3rd party risks and cannot make informed decisions about their vendor relationships. It can also create a situation where leaders face the dilemma of trying to rationalize increasing security spend into an area that does not seem to have the same return as other security areas. Innovation is driving down this paradox and should help eliminate many of these challenges over the next several years. Until then, we will continue to look at the recommendations above and other options, including continuous monitoring, which will be the topic of our next blog.