The Emergence of Third Party Risk Management
Third party risk management has become an especially hot topic following highly publicized information security breaches that originated in third party applications, systems or networks. As a result, the business concerns surrounding third party risk boil down to whether it is “safe” to establish or maintain a particular relationship, or whether an organization should force a third party to improve its controls.
Obviously, important decisions like these need to be based on accurate and meaningful information about how much risk a third party represents. Unfortunately, many organizations expend an extraordinary amount of time and effort and still fail to make well-informed decisions regarding third party risk.
5 Main Challenges
- Volume: The first challenge is simply the sheer volume of third parties. Many organizations today have relationships with hundreds or even thousands of third party organizations; relationships that can run the gamut from simple to highly complex, representing nominal to extreme levels of risk.
- Lengthy Checklists: The second challenge results from the approach many organizations have taken to evaluate their third party risk. Very often, the “solution” organizations have settled on has been to create (or adopt) lengthy questionnaires made up of detailed questions regarding information security controls and practices.
By themselves, such checklists aren’t inherently bad, and they can in fact be somewhat informative.
The problem however, is that lengthy questionnaires don’t scale well. Worse yet, scale is usually a problem for both the first party organization because of the hundreds or thousands of third party questionnaires it has to review, evaluate and make decisions about, as well as for third parties who may have many customers, each of whom often have their own customized questionnaires.
- Poor Information Quality: A third challenge has to do with information quality. Because questionnaires are typically lengthy and time consuming to fill out, and because there can be so many of them, third parties often will not be able to spend a lot of time thinking about their answers to the questions, which means the answers are more prone to be inaccurate or misleading.
Making matter worse, many times questions within questionnaires are ambiguously written and only allow for yes/no answers. This means that a third party with immature or incomplete implementation of a control can truthfully answer “yes” given their interpretation of the question, but that answer may be highly misleading.
- No Risk Analytics: Yet another challenge exists because checklists have no real analytic capability and the interpretation of the answers provided by a third party is subject to the beliefs, biases, and paranoias of whichever information security professional is tasked with reviewing them.
Especially combined with the volume of questionnaires to review and their length, there is an increased chance that key concerns will be overlooked or minor concerns exaggerated. The result is poorly informed decisions and an inefficient use of limited information security resources.
- More is Not Better: A final challenge has to do with a common misinterpretation of what “due diligence” looks like and what good risk intelligence looks like. Actually, this problem is closely tied to the lengthiness of many questionnaires mentioned above. For some reason, people have tended to correlate due diligence and risk intelligence quality with the number of questions in a questionnaire — i.e., more is better.
As I’ll discuss in more detail below, there are diminishing returns in terms of the risk intelligence an organization can gain from a questionnaire, and thus their ability to cost-effectively exercise due diligence.
Shared Assessments: Promising, but with Inherent Limitations
An approach that has been tried without much success is the notion of “shared assessments”. In other words, have all organizations rely on the same questionnaire. In theory, this would mean that third parties would only have to fill out a questionnaire once, and then every organization they had a relationship with would rely on that questionnaire.
The upside to this comes in two forms:
- it would dramatically reduce the work required by third parties
- it would reduce the workflow and questionnaire handling efforts of an organization.
- It probably would not significantly reduce the resources needed for an organization to evaluate, follow-up on, and make decisions regarding the answers provided by their hundreds or thousands of third parties.
- Another important limitation is the fact that not everyone agrees on which questions should be asked of third parties. The result is that organizations either customize their questionnaires anyway (which eliminates the two potential benefits) or the shared assessments try to include everything everybody believes is important. This, in fact, is another key contributor to the extreme length of some of the more standard questionnaires in use today.
Next-Generation Maturity Models: Evaluating Organizations' Capacity to Manage Risk
A more logical and practical solution can be arrived at if we keep in mind:
- the objective of the third party risk management process, i.e. to cost-effectively recognize when a third party is likely to represent an unacceptable level of risk to the organization
- the fundamental limitations that exist in our ability to know what’s actually going on security-wise in a third party.
Let’s start with the the fundamental limitations mentioned in the prior section. Answers to a checklist-based questionnaire are (at best) accurate only at a point in time. Especially if a third party has a large, complex, or dynamic technology landscape you can be assured that “compliance” with any set of detailed requirements will not be complete or persistent. To believe otherwise is fallacy. An organization can ask five hundred questions or five thousand and it still won’t know everything about the security conditions within its third parties. Asking more questions is simply analogous to counting grains of sand on a beach — a beach that invariably shifts with every change in tide.
So let’s tackle the question of what questions to ask. To use an analogy from nature, a wolf pack doesn’t need to perform DNA tests on an entire herd of caribou in order to recognize which ones are weakest. They look for characteristics like limping, disheveled coats, or signs of undernourishment. Likewise, if you know what characteristics to look for you can relatively easily recognize which third parties should be culled from the herd for “special attention”:
- The first characteristic to examine has to do with potential loss magnitude. This is typically going to be a function of one or more of the following:
- Whether or how much of the organization’s sensitive information a third party has access to within its own systems and applications or in the organization's systems.
- Whether an organization has critical business processes that are highly dependent on a third party.
- The nature of network connectivity between a third party and the organization.
- The second set of characteristics are descriptive in nature and have to do with a third party’s fundamental ability to make well-informed decisions about risk (e.g., prioritize effectively, etc.) and then execute reliably against those decisions. By the way, these characteristics are often not covered in even the most comprehensive questionnaire.
- The last set of characteristics describe the state of maturity and efficacy for controls that directly affect the frequency and impact of loss events the third party is likely to experience.
- A final key ingredient is to have these characteristics baked into an analytic ontology that enables quantitative methods to reduce the need for individual information security professionals within an organization to interpret a third party’s responses.
Taken together, these three sets of characteristics and the ontology can, with fewer than 50 questions, enable an organization to gain a clearer picture of a third party's risk posture than they are likely to get with 600 check-list based questions.
An example of that is the Cyber Risk Third-Party application that was recently released by RiskLens.
The Bottom Line
Due diligence in the big picture extends beyond third party risk management and requires that organizations cost-effectively use their limited resources to manage the entire scope of information security risk they face.
If they waste resources in an attempt to manage third parties when those resources could be used to focus on other, more important risk concerns, then they have failed from a due diligence big picture perspective.