According to a recent BlueVoyant, Opinion Matters global study of 1,500 CISOs, CIOs, and CPOs, 29 percent say they have no way of knowing if cyber risk emerges in a third-party vendor; and only 22.5 percent say they monitor their entire supply chain.
Without this key insight into their vendors, it’s no wonder that CISOs find third-party cyber risk management unwieldy. Unknowable risks and unforeseeable attacks on the supply-chain and value-chain continue to shift the risk landscape.
Organisations are hungry for visibility into third-party cyber threats. They must intertwine compliance controls with new and evolving regulations that impact these vendors as an integral piece of Cybersecurity Program Management (CPM).
Challenges to IT Compliance and Third-Party Cyber Risk Management
The challenge of IT compliance is ever-growing in its volume and complexity. Modern business is changing rapidly. Not only are standards, regulations, and enforcement changing, but the business is facing rapid change. The CISO’s role is expanding. Their domain now spreads beyond monitoring for risks and threats to include maintaining oversight of high-value assets, policies, training validation and control ratings.
While all this is happening, the IT landscape is constantly developing. Employees spin in and out of a revolving door. Processes are continuously evolving. There is a growing reliance on third parties and outsourcing arrangements that make it increasingly necessary that organisations have agile IT compliance processes to mitigate emerging cyber risk. The CISO must take care that controls extend beyond the organisation to third parties and Nth parties so that vulnerabilities don‘t lead to breaches.
These are the most significant challenges facing IT compliance today:
- Third–party relationships and a growing reliance on information and technology
- Detecting, communicating and managing changes to the business and regulatory environment
- Moving away from checkbox compliance focused on point-in-time assessments to continuous compliance monitoring
Organisations apply contracts, SLAs and audits to ensure that vendors mirror their efforts in securing their data. But suppose due diligence is lacking in vetting these parties. In that case, cybercriminals can breach one of those vendors to make their way to the target organisation‘s data. The organisation must confirm controls across all parties in the supply chain to prevent it.
According to Gartner, 52% of legal and compliance leaders are concerned about third-party cybersecurity risks since COVID-19. CISOs must address unknown and exacerbated risks from the pandemic. The sharp transition to working from home, for example, presents cyber threats for third parties that are inexperienced in securing home offices. Those risks extend to the organisations they serve. Their lack of controls can equate to the organisation‘s regulatory sanctions after a security event.
To intensify this threat, a sea change in insidious supply-chain attacks is underway. Most notably, the recent SolarWinds hack identifies the difficulties in gaining visibility into evolving third-party risks. SolarWinds‘ customer FireEye only discovered the breach after cybercriminals stole their cybersecurity tools, and they‘re a cybersecurity vendor! If they can‘t mitigate the risk, how can any vendor establish reliable controls to maintain regulatory compliance?
Aligning Cybersecurity Tools with Risks, Controls and Regulations
Robust third-party cyber risk management is integral to CPM. The right CPM tools will identify third-party cyber risks that can entangle the organisation in regulatory fines and sanctions. HIPAA/HITECH, GLBA, Dodd-Frank, and the PCI-DSS ultimately adapt as unknown third-party cyber risks increase in likelihood and severity. The GDPR and CCPA have emerged, elevating privacy risks under the umbrella of third-party cyber risks. CPM tools must assess the changes in cyber risks, reactions by regulators, and any need to reorchestrate controls to keep regulatory forces at bay.
In addition to regulations, there are a growing number of standards and related IT security frameworks, including:
- NIST CSF & Privacy
- NIST 800 series
- Cloud Controls Matrix
- ISO 27001/27002
Third parties present critical cybersecurity risks for every organisation. Third-party cyber risk management is a burgeoning component of cybersecurity program management. And as the regulatory landscape evolves, organisations need to ensure that IT compliance across the organisation and its relationships aligns with changes throughout the IT landscape or face serious repercussions that could damage its reputation, credibility and viability.
Organisations should assess Cybersecurity Program Management tools to ensure transparency into third-party cyber risks. Appropriate tools track and report on developing risks so the organidation can comply with applicable regulations. Adopting a framework is critical. Organisations should determine that they have the right tools to adhere to the regulations that affect their specific business.
Many organisations face the challenge that a proper IT compliance program involves a coordinated effort across the extended enterprise. Today, it’s more important than ever to be effective in identifying where your weaknesses lie – both inside and outside your organisation. It’s called Cybersecurity Accountability. And if you don’t have it, your organisation is at risk.
To learn How To Enable Cybersecurity Accountability for the Enterprise, download the ProcessUnity whitepaper today.
You’re Only As Strong As Your Weakest Link
There’s never been a more vital time to ensure the resilience of your organisation and the supply chain you rely on. DVV Solutions are here to help with a range of managed services and solutions proven to improve your ability to assess, analyse and manage more supply chain and third-party cybersecurity domains.
For more information on enhancing your third party risk and cybersecurity assurance:
Call Us: +44 (0) 161 476 8700
Contact Us: Complete our Contact Form, or
Learn more about What We Do
This article was originally published by ProcessUnity and is shared with their kind permission.
1) BlueVoyant, Opinion Matters global research study, September 23, 2020.
2) Gartner study, April 24, 2020