Dark Reading, Brandon Dobrec, March 28, 2019
How much do you trust your vendors? You don’t have to hook them up to a polygraph machine because there are better ways to establish trust.
Companies are increasingly dependent upon third parties to support key factors of their operations — from accounting or HR functions to building maintenance and landscaping. However, these relationships can also expose companies to cybersecurity risks based on the cybersecurity posture of the third parties. According to the Ponemon Institute, 56% of organizations have experienced a data breach caused by a third-party vendor, and 42% have suffered a data breach caused by an attack on one of their third parties.
In thinking about the third-party risk management, I realized that one popular movie series — the Meet the Parents series, starring Robert De Niro and Ben Stiller — teaches us some valuable lessons.
Establish Your “Circle of Trust”
While in Meet the Parents the Circle of Trust referred to specific people, a company’s Circle of Trust should actually be constructed of multiple factors — and potentially multiple circles. This goes far beyond simply signing contracts with cybersecurity language; it involves continuous steps to ensure your partner is actually doing what they say they are (more about that below).
Specific focus areas for establishing your Third-Party Circle of Trust include: identifying the data/systems to which specific third parties will need access, establishing acceptable levels of cyber-risk that your company is willing to accept, determining the partners’ cybersecurity practices/enforcement, and setting a baseline for continuous partner monitoring.
Trust in Processes, but Verify Continuously
In the first movie, De Niro’s character, Jack Byrnes, subjects his daughter’s fiancée, Greg Focker (played by Stiller) to an over-the-top polygraph test. The funny scene ultimately shows the counterproductive reliance on one-time audits or assessments of third-party partners: Summoning partners to periodic questionnaires, interviews, audits, or other scrutiny might look intimidating, but the movie shows us that for all its good intentions, you can’t rely on these traditional methods for fully mitigating cyber-risks (even if your interview questions are much less awkward!).
We’re seeing an encouraging shift within contract negotiations that is bringing cybersecurity into the discussion earlier and bringing lengthy, security-focused addendums to these contracts. While adding cybersecurity to the contract is a good step, it is critical for vendors to follow through on these contracts to verify that the partner is complying with the agreed-upon cybersecurity requirements.
I’m Watching You
After determining that a third-party vendor has acceptable-or-better cybersecurity policies and practices and establishing a relationship, it is incumbent upon you to reinforce protection through continuous monitoring. While you do not need to be quite as invasive as De Niro’s Byrnes, you should have eyes on your partners 24/7/365 with technologies sending real-time alerts if something is amiss.
Even (Over)protective Security Pros Seldom Make the Final Decision
The humor of the Meet the Parents franchise is that when two people meet and fall in love, it’s the integrity, compassion, and relationship between them that matters most — yet parents, friends, and other “advisers” tend to exert a lot of advice. This is well intended (we all love to have people we can trust to look out on our behalf or confide in), but again, it can be counterproductive when advice is subjective and poorly reasoned and, frankly, is ultimately a decision outside their purview.
The nature of business partnerships is different from personal relationships, but both hinge on trust, transparency and an embracing an opportunity for both parties, together. No one can ever seriously promise that bad things will not happen, but if the integrity and shared stakes truly matter, all sides do their part to realize the benefits. This is where security pros need to play the role of the “grounded friend” or “loving parents” we all trust.
As cyber-risk managers, we should anticipate the factors framing a prospective business relationship, respectfully speak up about the risks that exist, be available for in-depth conversations, and do our duty to make sure the right questions and variables are being asked and weighed, respectively — and then accept that a decision is going to be made whether we agree, or not.
No one needs a “Jack Byrnes” flying around the world to polygraph suppliers. A better strategy is to embed cyber-risk conversations deeper in every part of the third-party partner life cycle, so that security pros feel empowered enough not to overreach — and executive “suitors” can be armed with the facts and leeway necessary to manage their relationships.