Over the last three years, the use of third-party assessment utility services for cyber use cases has increased in popularity. There are several reasons, including the rise in third-party breaches, increased regulatory guidance, a need to become more efficient, more client concentration in several leading platforms, and a need to provide stringent delivery timeframes due to digital transformation and tighter business cycles. In an informal poll of leading financial services clients, there has been a 2X increase in these services over the last year. In conjunction with CyberGRX, this blog will help to identify several best practices to consider if you are looking to successfully add a third-party utility for your third party cyber risk use cases.
Questionnaires and Control
Standardization of content and controls for third-party risk has been a recurring theme. The Shared Assessments SIG, Cloud Security Alliance CAIQ, and others have attempted to create a more standardized gathering mechanism, however getting ubiquity has been difficult. Utility services have attempted to create independent standards and also cross-map to those standards demanded by clients to help meet their regulatory requirements.
In reality, security assessments are commoditized given they all seek to answer the same question, “Does this vendor’s security posture provide the assurance I need to do business with them in a safe and secure fashion?” The foundation of a utility is a standardized question set. This enables the marketplace to meet the needs of both customers and third parties. Allowing a customer to bolt on additional custom questions destroys the integrity of the exchange.
However, there are some real advantages to leveraging a structured data set. Unlike, narrative based answers (i.e., “We have DLP but only is North America facilities. And we’ve only deployed host based DLP on about 60% of our machines.”), structured multiple choice answers allow for data analytics to drive key control gaps.
We see three primary drivers for the shift to optimized third party cyber risk programs:
- Increased regulatory Scrutiny
- The explosion in third parties under management due to digital transformation projects
- 60%+ of breaches involve a third party
One common denominator of best in class programs is their shift from focusing on the content of the self-questionnaire to focusing on third party risk management. The focus on portfolio risk – rather than individual assessments – is the common denominator of best in class programs.
Security assessments are like religion or politics – everyone has their own view and are staunch in their support of their opinion. In reality, security assessments are very similar and seek to accomplish the same mission – does each vendor meet our security maturity standards? Or, do they pose risk to exposing our data or intellectual property?
It’s the shift from over thinking the question set to focusing on post processing at scale that makes the difference.
Another topic that has created challenges for third-party utility services adoption has been the total number of assessments available in the utility versus those that are in a client’s vendor register. Historically, there has been an expectation of extremely high vendor density when first signing up, but the reality is that in most cases the percentage in the first year might be lower. There has been a lot of work here over the last several years and different techniques are being used to speed up the collection and validation of evidence to populate the utilities.
This is a good time to make sure we’re differentiating between a security ratings tool and an assessment exchange or utility. A ratings tool leverages outside/in techniques to passively score an entity based on indicators of compromise and external indicators of security posture.
A risk assessment is “behind the firewall” and involves engaging with the vendor to better understand (and validate) that the controls they say exist actually do. A risk assessment is much more in depth and reliable, but it takes more time relative to an outside/in ratings scan.
Where things get interesting is when you combine the best of both of these techniques into one platform, enabling both inside-out and outside-in visibility.
It takes the entire community of customers and third parties to make an Exchange concept work. Every time a new customer or third party joins the Exchange, the value for all of the participants increases. We rarely encounter someone who doesn’t support the utility concept. It’s getting them to wrap their head around leveraging a standardized set of security questions that gives them pause.
Total cost of running a global Third Party Security Program and the cost optimization benefits brought forth by third-party utility services have often been debated in the marketplace and to some degree, are still a challenge. Often times consumers complain that operational returns do not justify the investment made. Part of this has to do with how pipeline of third parties is managed through assessment and recertification process, and also on risk appetite of the organization - not every third party needs to be assessed by internal teams and vice versa not every third party needs to be assessed by utility services. A balanced approach based on risk categorization of third parties leads to a cost optimized model.
Surveys and our research indicate it takes an average of 20.5 hours of a third party risk specialists time to get a vendor to complete an assessment and process the data effectively. This doesn’t consider the amount of time the third party spends completing the assessment. One of our clients is assessed over 4,000 times a year which is a massive waste of time and resources for all involved.
What’s important in considering leveraging a utility is to realize that not all of your vendors will fit into the model. Most customers have high risk vendors where a personal relationship is important. We recommend working with a partner like KPMG to establish a personal relationship with these critical vendors. But this isn’t scalable or cost effective as your vendor population grows.
Another value point for a utility is collective bargaining. A small law firm may not have the leverage, budget or ability to perform an assessment on a large, multi-national firm. But when leveraging an exchange, the law firm can have access to the same information from their vendors as a large bank.
Freshness and Findings
Another challenge that utility services have worked to overcome is the issue of data freshness. Indications are that the half-life of all assessment data is decreasing from one year to closer to 3-6 months. It becomes important for utility services to continue to ensure that the collected assessment data, including self-assessment data, is hydrated incrementally with changes made to findings and new data provided. The use of threat intelligence also can play a role to determine whether the assessment data is aligned to external changes in the ecosystem.
In the exchange model, we don’t think of assessments as being “updated annually” like in the traditional model. In the case of widely used third parties like payroll providers or cloud providersa, many of our customers subscribe to their data and request remediation on certain controls. Once these controls are updated, the entire community benefits. Assessments can act as more of a data stream and less of a point in time assessment given we’re combining breach intelligence, security ratings, open source intelligence and other feeds to ensure accuracy.
Expectation Setting for Success
Success with utilities often takes time to realize since getting alignment with the vendor database internally and the utility services synched can take several months depending on when an assessment is due and whether there is sufficient density initially. However, setting the appropriate expectations up-front ensures long term success and can make utility services a strong part of your third-party security program.
In addition, consider utility services one part of your larger program and be flexible. There may be some assessments that need to be done by your team based on sensitivity and timing, there may be other partners you want to perform certain assessments, and there may be budget considerations.
A utility still takes the work of a skilled security practitioner to make the program a success. In some cases, the vendor will offer an alternative package of evidence like a SOC-II or other certifications. Best in class programs require standardized data to drive comparability and benchmarking of their vendor ecosystem. And some vendors will need a nudge from the customer (rather than just the utility provider).
Leveraging a utility is simply an alternative way to collect security data. One that is much easier, faster and cost effective that than redundancy in the market today. It’s no silver bullet, but the efficiencies for both sides is massive.
This blog was intended to offer some insights into a potential resource for your third-party security efforts. Keep a look out for other blogs and thought leadership from KPMG and CyberGRX or please reach out anytime to talk about your unique challenges. We are always here to help drive success on your third-party security journey and lead from the front.