Partner security risk is an important topic in the minds of risk officers today. With the number of companies being breached via third parties on the rise (New York Times, Bank of America, Twitter), this is clearly a big area of concern. In a survey conducted by Ponemon in February 2013, 65% of participants said their organization had a breach involving the loss or theft of their organization’s information when it was outsourced to a third party. In April 2013, the Information Security Forum (ISF) wrote "Of all the supply chain risks, information risk is the least well managed."
So, how real is this risk and how is it being addressed today?
According to the ISF, its member organizations have approximately 2,030 external supplier relationships on average. True - not all organizations are as large as some of the ISF members (including IBM, Nokia and P&G) - but the fact is that in today’s hyper-networked world, corporations are operating with more and more business partners. In addition to manufacturing and support services, companies commonly outsource other functions such as IT, legal, payroll, marketing, and human resources. That’s a lot of information exposed to third party risk. Take the example of Bank of America. In March 2013, Bank of America confirmed that a third party compromise was responsible for a 14 terabyte data leak! Yes – this is absolutely a REALLY BIG RISK.
Unfortunately, tools to manage third party security risk are limited. Here is what the typical process looks like for large financial institutions – i.e. this is the “state of the art” today.
- Establish a contract with the partner that:
- Prescribes security controls
- Transfers financial liability for breaches
- Assess the partner using:
- Questionnaires
- Documentation Review
- Follow-on Interviews
- Site Visits
- Remediate findings:
- Report findings to partner
- Partner presumably works to mitigate the reported risks
- Financial Institution monitors the partner's progress
- Wait 12 months and repeat
Although this process is ridiculously expensive, it does help organizations understand their partners’ policies and procedures. And, if done correctly, it can mitigate some risk. However, in a world of constantly evolving threats, this process is not sufficient to proactively manage third party risk. Point in time questionnaires provide subjective opinions of the partner’s then-current policies and procedures and are NOT based on evidence of security effectiveness. And by security effectiveness, I mean how well a company executes its policies. My partner may have the spiffiest firewall in town, but if he does not keep it updated, my confidential data is at risk of being exposed. And if he had it patched the day I assessed him but not a month later, my data is still at risk. We, as an industry, need to change the conversation from “are you compliant” to “show me evidence that you are adequately protecting my data.”
What is particularly troubling is that, in spite of the known and widely accepted shortfalls of current third party risk management methods, there has been little innovation in creating evidence based, cost effective solutions. There is constant innovation in business and financial risk management, why not technology risk?
What are your thoughts on the state of partner security risk management today? Please share your comments below, and follow us on Twitter to continue the conversation.