The recent spate of widely reported supply chain cyberattacks has shone fresh light on the role that third-party security leaders play in protecting their organizations. Increasingly, organizations are centering third-party security teams at the core of their cyber programs and investing heavily in maturing their third-party security capability. This begs the question: as the remit of third-party security leaders expands, should organizations create Third-Party Information Security Officer (“TP-ISO”) roles?
The creation of Third-Party Information Security Officers entails more than just a semantics shift. Through elevating them to peer equivalents of Business Information Security Officers, they become empowered to take on a more strategic role in their organization. The TP-ISO role would be to guide, consult, and partner with technology and business leadership. This would enable both a ‘shift left’ and a ‘shift right’ in the role security plays during the third-party life cycle.
In this context, shifting left refers to the practice of bringing forward issue identification and issue prevention in third-party lifecycles. This would require a reorganization of the nexus between security and procurement and entail involving the TP-ISO long in advance of the third-party due diligence process. As an example, TP-ISOs would have a role in establishing third-party use and third-party selection strategies. In this way, TP-ISOs could input on decisions related to outsourcing, cloud transformation, software acquisition, and so on.
Conversely, shifting right refers to the practice of performing issue identification and issue prevention activities after forming a contractual relationship. This addresses the reality that processes and technologies are dynamic – meaning that risk profiles evolve on a continuous basis. Third-party security reviews would move from pre-contractual or cyclical due diligence to an ongoing process. Security monitoring, either via security ratings monitoring or third-party security continuous assessments and monitoring would move to the core of third-party risk analytics (refer to our blog here). Throughout the contractual period, TP-ISOs would be empowered with the authority to limit, pause, or terminate third-party relationships.
The move to deepen the connectivity between security organizations and an organization’s third parties would help businesses react more expeditiously to a supply chain security incident. Acting in partnership, TP-ISOs could coordinate activities between third-party relationship owners and cybersecurity incident response teams. This trend has already begun. At a recent third-party security roundtable hosted by KPMG, participants were near-unanimous (86%) in asserting that their management has requested them to take on a greater security incident response role pursuant to the recent supply chain cyberattacks.
Appointing a TP-ISO would also add resource talent to expand the focus of the third-party security team beyond traditional ‘managed’ third parties. ‘Non-managed’ third parties are those that an organization does not have a contractual right to assess, and include governmental organizations, trade associations, fourth/nth parties, and BYOD technologies. All these third-party categories present a significant risk to organizations but are typically omitted from third-party security programs – even though there are various controls that can be developed to mitigate the risk.
Ultimately, closer alignment between business, technology, and security strategies would facilitate increased velocity and agility across third-party processes. This would enable organizations to seize an emerging growth opportunity: as businesses become more dependent on their ecosystems, getting third-party security rights is a critical source of competitive advantage.