Organizations often rely on third-party assurances to tackle third-party risk management (TPRM) but fail to leverage its full potential.
What are some of the good assurance mechanisms? How can organizations and third parties communicate effectively to showcase their security strength? How can organizations categorize their third parties strategically?
Omar Khawaja, CISO at Databricks, explores the same with the HITRUST team in Trust vs. Third Parties. Listen to the full podcast episode to hear the full discussion.
Here are some quick insights from their conversation.
How to choose the right third-party assurance
The first step to choosing the right assurance mechanism is understanding its need. Why do you need an assurance for a system? How does it impact your performance? What are the risks if the system is exposed? Based on your needs, align the assurance level with business value. Also, evaluate negative business value if things go awry.
Check that the controls you select and the process you pick fit well with the assurance level. Most security professionals feel the more controls, the better security. But more controls could mean a waste of resources.
If you’re working in a healthcare or financial organization, your organization handles sensitive information. This means you are aiming for a high security bar. Some of your vendors may feel that your third-party assurance expectations are too complicated or expensive. But remember, if your vendor thinks it’s difficult to protect your data, you’re probably putting it in the wrong hands. Partner with vendors who are constantly raising the bar and willing to do more.
How to assess vendor risk
You’ve classified your third parties as low-risk or high-risk. You focus all your energy on the high-risk ones and put the least effort into the low-risk ones.
This process makes sense until you look at the breached vendors list. Did any organization working with Kronos for time management or MOVEit for file transfer consider them high-risk? Probably not.
Organizations are either doing an excellent job of protecting the high-risk ones or a poor job of stratifying the low-risk ones. And most likely, it’s the latter.
You can’t put every vendor in the high-risk category. So, what’s the solution?
Organizations only focus on their partnership and inherent risk when stratifying vendors. How much data is shared with this third party? But that’s not enough. Think of it from a business risk perspective. What are the outcomes if something goes wrong? How will that impact business operations and the industry at large? Can an attacker get access to several entities by attacking this third party?
Evaluate your third parties based on these risks and negative business values. Maybe your low-risk vendor is not really low-risk. This approach helps set the right third-party assurance expectations and get stronger security certifications.
How to create an effective TPRM plan
You have robust cybersecurity programs to protect your data. You have acquired the best assurance to validate it. But how assured are you when the same data resides in your third-party vendor’s data center or cloud?
When you send out questionnaires, it seems logical, but if you receive them, it looks like a waste of time. If you don’t think questionnaires are valuable when filling them, why should you expect your partners to do so?
It’s time you move away from traditional tactics that do not add value. Adopt new TPRM strategies and approaches. A leader needs to be a continuous learner. Standard and certification bodies should be adaptable, too.
Understanding the needs of its audiences, HITRUST introduced its lower-level assurance, Essentials e1 Validated Assessment. It is ideal for low-risk third parties and serves as a foundation for those who want to begin their assurance journeys. With its expanding portfolio, HITRUST offers different levels of reliable assurances for vendors of all sizes.
To dive deep into creating effective TPRM strategies, check out the entire episode.