Third party security continuous assessments and monitoring

Expanding and enriching the use of data within the assessment process

Adam Brand

Adam Brand

Advisory Managing Director, Cyber Security Services, KPMG US

+1 312-282-9878

Tom Nash

Tom Nash

Director, Cyber Security Services, KPMG US

+1 347-443-5833


There’s one matter on which security professionals, business leaders, and regulators concur: existing approaches to third party (e.g., vendor) security are inadequately suited to high velocity environments. Shortcomings associated with existing approaches have become increasingly visible as the pace of digital change continues to turbocharge across all industries. In this blog, we will explore the challenges facing organizations that rely on traditional third-party security approaches and review a selection of innovative third-party security solutions that industry leaders are currently piloting.

The traditional and predominant method for managing third party security risk is through point-in-time, questionnaire-based assessments. Questionnaires are typically qualitative in nature, focusing on security governance infrastructure existence and not security control technical efficacy. Organizing and executing questionnaire-based assessments is time consuming and labor-intensive; because of this they are typically conducted on one- to three-year cycles. This method worked satisfactorily when major technology changes occurred on that same, infrequent cycle. However, it is now more common for third parties to have embedded agility into their core technology operations and for newer organizations, which often have no legacy systems, to transform rapidly. Expeditious technological change within third parties means that traditional infrequent assessments can become outdated almost as soon as they are completed. Latency has become the primary challenge to questionnaire-based assessments.

Top challenges with existing third party security solution:

  • Point-in-time reviews don’t capture changes to the environment/risk.
  • Questionnaires typically focus on governance infrastructure existence and not control technical efficacy
  • Inconsistent adoption of shared assessment solutions 
  • Slow integration  of security ratings
  • Business need to decrease time to onboard new vendors
  • Extended supply chain risk (e.g. 4th party)
  • Lack of integrated process automation

Similarly, there are shortcomings to the more recently emerged third party security shared assessment (“utility”) solutions. While those solutions have a key benefit in the form of a reduced cost burden and faster turnaround, latency between the assessment timeframe and a third party’s current technical environment remains a key challenge. In addition, these utility solutions do not easily accommodate divergent risk appetites/business relationships among customers (for example, customers may have different requirements for critical patching timeframes). Furthermore, utility solutions do not have complete coverage of third party portfolios, meaning that customers are typically forced to subscribe to multiple utility solutions or deal with assessment timeframes more consistent with bespoke assessments.

Security ratings services typically leverage externally accessible security information from third party Internet perimeter scanning and other “open source” intelligence methods. They have helped somewhat to reduce the latency issue, but bring their own challenges. Specifically, risk measurement is highly dependent on risks being externally visible (i.e., on an Internet-facing system versus an internal system) and there is often no link between the findings provided and the service being delivered to a particular customer. For example, such a solution may present a third party as higher risk because that third party has an expired secure sockets layer (SSL) certificate on an old marketing website, where the customer of that third party may be receiving unrelated backend call center services that are on a separate infrastructure. As such, accuracy of attribution is a significant issue for users of open source intelligence methods.

The rapid pace with which businesses add and remove third party relationships results in another layer of complexity for third party security teams to contend with. Third party security teams that cannot support rapid on- and off-boarding of vendors inhibit the business from realizing a competitive advantage through first-mover partnerships and accelerating innovation. In some circumstances, this can result in a disinclination of business stakeholders to procure through authorized channels, and with that the emergence of shadow IT. At other times, it promotes risk acceptance over risk remediation – especially when the business has already contracted with the third party.

Many organizations have adopted a “throw bodies at it” solution through increasing funding for third party security questionnaire-based assessments. This funding has resulted in significant increases in the aggregate assessment volume, and larger organizations now have teams comprising numerous assessors. With very low levels of automation this has created a very costly war for talent. Increased funding on its own is unsustainable and does little to address the structural challenge presented by the extreme speed of business and technology change vs. the still relatively infrequent assessments.

The path forward through strategic innovation

Organizations that have seen successes in reducing the burden of third party security questionnaire-based assessments have innovated around the following areas:

  1. Right-size the third party security program based on threat and risk: Leaders in third party security have invested in developing dynamic third party security risk engines. These engines facilitate the computation of risk tiering based on a diverse set of threat intelligence sources, including threat intelligence feeds, reported incidents databases, anomalous entity activity patterns, and adversarial forum scanning. Enhancing data analytics to compute a derived risk enables leaders to “right-size” their risk treatment activities. This drives performance improvement through prioritizing resources based on risk.
  2. Move towards a continuous assessments and monitoring model for third party security: The KPMG vision for the future of third party security lies in the Continuous Assessments and Monitoring (“CAM”) vision of third party security. In this context, the future of third party security is proactive, streamlined, and risk-based. The KPMG model for CAM moves beyond the traditional point-in-time questionnaire and external information sources approach, enabling flexibility, scalability, and automation. Ultimately, CAM instills the confidence necessary to facilitate deeper network integration into client environments is instilled, driving tighter coupling and profitable growth via partnership. More information on the KPMG continuous assessments and monitoring model is available here.

Where to kick off?

The recommended approach for embarking on a third party security innovation to commence with a proof of concept, to demonstrate the art of the possible – and its power – to your organization. Using this as a platform, you can deepen the specificity of the problem statement you face and the business case for change. This will build the momentum required, to launch your organization into innovative and leading-edge third party security transformation.

Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.”