SECURING THE RIGHT VENDORS IN THE CYBER SECURITY AND DATA PRIVACY DOMAINS
Digitalization forcefully accelerates the adoption of platforms and devices that allow sensitive data to be shared with third parties, such as cloud service providers, data aggregators, application programming interfaces (APIs), and other technology-related intermediaries. In essence, this propagates the need to know and track vendors much more diligently, given this trend of increasing vendor dependency in the cyber security space. In parallel, vendors are increasingly becoming the most targeted security link in the supply chain. At the same time, customers demand more cyber-secure products that remain at low cost, two needs that are not always possible to reconcile. Moreover, with the almost limitless potential of the impact of supply chain attacks on large customer bases, these attacks are becoming increasingly common.
The need for strengthening vendor management and pre-qualification inevitably hinges and integrates directly with the need to undertake and implement a third-party digital risk management process. Deepening the business and operational relationships with existing and potential vendors will increasingly imply a higher complexity of digital risk, requiring systematic management to visualize and understand the increasing external dependency on critical cyber security and data protection solutions provided directly by vendors. So as the dependency on key vendors and their influence on business criticality increases, so does the organization’s need to systematically establish a comprehensive approach to manage new and diversified digital risk complexity.
Furthermore, there are many ways that security vulnerabilities with third-party vendors can translate to a security incident for an organization. Developing a vendor life-cycle management process is essential as dependency on vendors increases to manage inherent digital risk aligned with present and future realities. From a financial perspective, many large organizations face a common dilemma: they spend vast amounts of cyber security and data privacy investments yet have limited visibility into how their initiatives reduce their digital risk exposure. As a result, cyber security and data privacy spending often are not as efficient or effective as it could be in terms of lacking a critical competence in the vendor market combined with which vendors may constitute a strategic and operational partnership fit over the long term.
A lack of understanding of the scope of digital risk from third-party providers may inhibit the organization from making strategic and operational decisions, and thereby experience significant negative performance and economic impact. The unknown and unqualified digital risk posed by third-party vendors to the organizations leads to unnecessary risk exposure that is otherwise avoidable. Examples of a high level of a variety of challenges on third-party digital risks that an organization may need to address include:
- Lack of internal procedures and processes on digital risk resulting in inadequate understanding and competence on customer organization and its needs
- Poor implementation of required security protocols and standardized requirements
- Lack of in-depth personnel digital vetting
- Lack of in-depth general knowledge and additional digital vetting of deployed subcontractors
Although not prescriptive, developing a basic framework to understand the vendor base provides a flexible structure that the organization can adapt to meet its business needs. Establishing such a framework does not require too detailed or process orientation and may comprise the following key elements:
- Identification of contracts or engagements with vendors
- Identification of the contracts that need to be risk assessed
- Identification of which vendors should be involved in and carrying out the assessment for defining risk criteria
- Getting a strategic perspective on risk
- Summary of responses at relative risk levels
- Implementing an assurance program
- Review of the process
Taking the qualitative leap of taking digital risk management to the next level hinges on the better protected against cyber-attacks organizations become, the more the attention shifts to vendors and digital risk management. Inevitably, there are key considerations and requirements aspects that overlap between digital risk mitigation and vendor pre-qualification. Nevertheless, organizations must build a robust understanding of existing and potential vendor bases, which might or might not represent digital risk. At the same time, organizations must ensure that their vendors fulfill their share of the digital risk-specific responsibility directly inherent to the measures and actions they must take. So as this digital risk accountability perspective needs to be a two-layered approach – one for organizations and another for vendors – some basic recommendations for organizations may include:
- Identifying and documenting vendors and service providers considered to represent a digital risk
- Defining digital risk criteria for different types of vendors and services such as vendor & customer dependencies, critical software dependencies, single points of failure; monitoring of supply chain risks and threats
- Managing suppliers over the whole lifecycle of a product or service, including procedures to handle end-of-life products or components that derive specifically from digital risk.
- Classifying assets and information shared with or accessible to suppliers representing a digital risk and defining relevant procedures for accessing and handling them.
- Assess supply chain digital risks according to their own business continuity impact assessments and requirements,
- Define obligations of vendors for the protection of the organization’s assets, for the sharing of information, for audit rights, for business continuity, for personnel screening, and the handling of incidents in terms of responsibilities, notification obligations, and procedures,
- Define security and digital risk requirements for the products and services acquired, including all these obligations and requirements in contracts.
- Agree on rules for sub-contracting and potential cascading digital risk requirements.
- Monitor service performance and perform routine security audits to verify adherence to cybersecurity and digital risk requirements in agreements; this includes handling incidents, vulnerabilities, patches, security requirements, etc.
- Receive the assurance of vendors and service providers that no hidden features or backdoors are knowingly included.
- Define measures for digital risk treatment based on good practices,
- Monitor supply chain digital risks and threats based on internal and external sources of information and findings from vendor’s performance monitoring and reviews,
- Make their personnel aware of the digital risks.
On the other angle of this two-layered approach, there is also the necessity for continually driving vendors to ensure that the development of products and services comply with security and digital evolving risk practices and requirements. Vendors may implement good practices for vulnerability and patch management, for instance. Examples of recommendations for vendors include:
- Ensuring that the infrastructure used to design, develop, manufacture, and deliver products, components, and services follows cybersecurity and digital risk practices.
- Implementing a product development, maintenance, and support process consistent with commonly accepted digital risk–specific product development and processes.
- Monitoring of security vulnerabilities reported by internal and external sources, including used third-party components.
- Maintaining an inventory of assets that includes patch-relevant information.
Contractually, it also becomes fundamentally important that adapted and suitable clauses are incorporated into any contract or agreement with vendors. Accelerated dynamics regarding how digital risk evolves make it even more relevant to build and structure contractual content, ensuring that the document offers a reasonable degree of protection and control over the purchased goods and services. The contract s to allow for being a “living document process,” safeguarding that digital risk contractual content is progressively captured and updated during the actual operational contract management phase. Examples of how basic sections and clauses can be structured and included in a contract are:
- In cases of state entities where ICT security is a national risk of critical importance and security is a license to operate, the vendor must give any related matter the highest priority. The vendor shall ensure that security risks are managed vigilantly, with the ability to defend against all levels of threats, including but not limited to, nation-state threat actors.
- Governance: the vendor shall appoint a security and digital risk responsible at an executive level as a counterpart to the customer, with the responsibility for strategic security meeting places, reporting, and management of material risks, incidents, and vulnerabilities. This is to ensure strategic management of information and digital risk security in addition to the regular customer governance.
- Material issues: material security issues shall immediately be communicated to the customer and appointed parties, including material risks, incidents, and vulnerabilities. The vendor shall provide the support and information required and take necessary actions to manage such risks. This is to ensure strategic coordination of material issues in addition to the regular customer governance.
- Compliance: the vendor shall comply with all applicable laws and regulations concerning ICT security, document certification, or compliance to ISO 27001 or equivalent information security management systems and ensure adherence to industry best practice security frameworks and NIST cyber security framework.
- Supply chain: the vendor shall implement information security controls throughout the supply chain in accordance with the security requirements in this contract. The vendor shall further support regular operational information security cooperation with relevant third parties, such as ICT outsourcing partners, cloud vendors (SaaS/PaaS/IaaS), and managed security service providers appointed by the customer.
- Reference architecture: the vendor shall enable secure cloud adoption through an agreed security reference architecture based on the vendor’s security architecture models, implementing security tools and processes to enable end-to-end security for the organization or the public sector.
Ultimately, vendor pre-qualification does not only drive accountability within an organization’s functions to define digital risk-specific scope and requirements, but it also encourages active cross-functional participation in scouting new cyber security and data privacy vendors proficient in digital risk management, together with enabling a stronger focus on overall vendor management. Hence, spend and investment management encompassed in business targets continually align, having an internally qualified vendor and partnership understanding, proving to become critical in many cases to overall business and organizational performance.
In the future, the interconnectedness and convergence of digital tools will continue to increase as society embraces the next version of the internet built upon blockchain technology. Hypothetically, there is a window of opportunity that third-party digital risk encompassing all third-party digital enablement may lay the foundation for initiating an overall digital risk management transformation in terms of how it aims to improve risk effectiveness and efficiency. Especially this provides opportunities for process automation, decision automation, digitized monitoring, and early warning. The path to managing third-party digital risk will be a long-term endeavor, but in parallel executing digital risk, transformation allows to capture significant value in the short term, launching tailored initiatives for high-value targets. As the risk management function progressively digitizes, it will contribute to the organization gaining higher efficiency, effectiveness, and precision. If we look towards the future, digital risk management should become increasingly lean and agile, addressing cost pressure, enhancing regulatory compliance, and strengthening the organization’s ability to manage the competition. White Label Consultancy can help and support your organization to embark on the journey of propelling third-party digital risk management to new levels of value creation and performance control.