How can risk assessments help manage third parties?
In our last blog we talked about what a third-party security assessment is and how it needs to be:
In this blog we start the conversation about how to perform a third-party security assessment. What do you need to consider when rolling out an assessment process? How do you increase supplier engagement with the process? What are you actually looking to achieve? Here are 4 considerations to consider in your planning process:
Where do Third Party security assessments fit into your overall Vendor Risk Management approach?
In broad terms, Vendor Risk Management is split down into three distinct areas of activities and their relative importance needs to be considered in order to decide where your assessment process fits in:
External Monitoring – Open-Source Intelligence (OSINT) monitoring of suppliers on an ongoing basis provide a historic and ongoing classification of the overall security maturity of a supplier from the outside but cannot overcome the opacity and complexity of what is really going on inside the supplier and so only tell half of the story.
Internal Assessments – A Third- Party Risk Assessment is then used to interrogate the internal workings of a supplier, either onsite or remotely. This approach captures a snapshot of a supplier at a point in time but lacks the ongoing monitoring capability of external monitoring.
Balancing these two approaches provides a full picture but is only useful if you intend to engage in:
Risk remediation - Having a way to remediate the risks that a VRM programme finds is essential.
These activities need to be considered along with cost, time and any other constraints such as audit findings and the volume of suppliers that require protection. The answers to these will determine the structure and amount of work that you want to go into to assess your suppliers.
Luckily, C2 Cyber’s reason for existence is to provide a reasonably priced, fast and efficient combination of all three of the activities above which can accommodate an almost unlimited volume of suppliers, so you may find that you have to look no further!
What do you want to assess?
Your goals, choice of tools and partners will determine both what you want to measure and what you can measure. As the old saying goes, “Vision without execution is hallucination” and whether your goal is risk reduction, productivity, agility or digitisation you need to be able to track your progress. Who is responsible? Who is accountable?
Measurement works on a number of different levels here. Typical measurements directly related to the success of a VRM programme could be about tracking improvements over time in:
- Security maturity of suppliers
- Level of Risk of the services that they provide
- Priority to the company of the services that they provide
- Overall Trajectory of risk (hopefully downward)
However, to achieve real integration with the business you need to measure indicators that matter to them and communicate with them in terms they will understand and appreciate. Strategic measurements may focus on criteria that reflect a different level of risk appetite from a tactical security footing for the purposes of profit or return on investment. A supplier that looks risky to you or your Third-Party Risk Manager may actually be essential to the growth of the company and the criteria and the systems that you choose to measure risks should be designed to take this into account.
Where do you want to start Third-Party Security Assessment?
Desmond Tutu (possibly apocryphally) once wisely said that “there is only one way to eat an elephant: a bite at a time.” The only thing I would add to that is “Start at the trunk”. There is no need to go after all your suppliers at one time, but it is a good idea to take a structured approach to which to focus on first. Segmenting them according to the criticality of the services they provide, their security maturity, the risk they pose, their priority to the business and whether there are particular procurement programmes or audit finding that are triggering aligned activity will enable you to prioritise engagement both with the right suppliers but, perhaps more importantly, with the right set of stakeholders within your business to achieve the desired effect.
Many get paralyzed at the assessment stage. The scale of assessing hundreds (if not thousands) of suppliers may seem overwhelming and cost prohibitive. Assessing every supplier may just not be practical and if attempted effort will tail off after a period of time as the business fails to recognise any value.
As in most things, the 80/20 rule applies here. Effective segmentation of the supplier base plus a clear plan of goals enables you to start where the risk is probably highest. There may, for instance, be suppliers whose security maturity leaves something to be desired, but the function that they are performing for the business is of a low criticality or impact and their risks can either be accepted or realistically deprioritised.
How do you get to value?
As they say, “Weighing the Pig won’t make it fatter”7. It is vital that the purpose of assessment is kept within the boundaries of the principles of the overall programme and not allowed to become an end in itself. I am reminded of the three golden rules of measurement:
- No measurement without recording
- No recording without analysis
- No analysis without action
The answer is not to focus on assessment, but on understanding, action, collaboration and remediation and to achieve this you need to get beyond assessment as quickly and efficiently as possible
There are also many ways to make assessment intuitive, flexible and user friendly and encourage greater participation from suppliers. Make it easy for the supplier and they will make it easy for you - the old approach of spreadsheets has high inertia and is unpopular. Adaptive questioning in assessments, the ability to farm out parts of the assessment to different stakeholders within the supplier, behavioural psychology within the structure of the assessment and automated measurement of responses can all be used to improve participation and should be things that you should ask whoever is providing your assessment process.
Finally, it is not all about the vendor, it is about the vendor in the context of the product and service they are providing. And explaining to them the importance of the role they play in your business will improve buy in from the start and justify the demands that you will make on them. VRM should be about building a real partnership with your vendors and not just beating them up.
On the other hand, making vendors aware that their progress on an assessment is visible to you does usually have efficiency benefits!