Security leaders continue to be concerned about third-party cybersecurity risks in the wake the SolarWinds attack and Kaseya attack. Despite this, CISOs are still having a lot of trouble with third party risk management (TPRM). According to the newest CISO Circuit survey by YL Ventures 70% of surveyed leaders don’t believe that TPRM solutions have significantly helped them avoid risk. Their doubts are largely rooted in their concern about the lack of context in current TPRM processes. This is significant as 83% of respondents used this solution.
Supply chains have become more popular as attack vectors for criminal actors. The pressures on boards and compliance around third parties are increasing rapidly, further fueling the fire under CISOs already struggling to manage the process. It is worth looking at how existing practices can be optimized to reduce the risk to enterprise networks in the race to address increasing supply-chain risks. The CISO CircuitIt reveals two critical blindspots that prevent us realizing the true potential in TPRM: how and when we interact with third party entities and how they interact with one another in our own environments.
Third-party SaaS vendors are now embedded in every aspect of our workflows and interconnected with enterprise environments. As digital transformation became a top priority, this takeover was already happening at an astonishing rate. SaaS applications are increasingly being used and organizations are striving to optimize their usage. Organizations have begun to integrate these applications to improve data flow and automate workflows.
Visually, we can see information moving through an interconnected web SaaS applications constantly pinging one other for data. These communications are the core of our new, streamlined workflows and faster productivity. They can also be dangerous gateways into our environments because they increase dependence on and interconnectivity to third-party vendors.
Accounting for dynamism
TPRM solutions suffer from critical blind spots that limit CISOs confidence and ability to manage risk effectively. TPRM solutions today tend to focus on vendor security postures rather than actual vendor-customer integrations.
Increased independence for individual users and citizen developers often leads to changes in SaaS usage, business processes, and other issues. These developments have resulted in changes in enterprise relationships with third party vendors that are not adequately addressed by current TPRM practices.
These blind spots also make it difficult to implement other best-practices like zero trust and proper access protection. They are difficult to implement without taking into account larger contexts and the dynamic nature of third party relationships and information. One misattribution can lead to zero trust. This can result in third-party access that is too privileged or vendors that are not needed.
Many enterprises are victims of third-party integrations that are easy to forget or can evade the supply-chain risk management process. These approaches are not helpful for security leaders to detect them. This could indicate that a network of third parties is exchanging enterprise data with no supervision or governance.
Unlocking the potential of TPRM
According to YL Ventures’ report, CISOs are more motivated by compliance than by real security strategy when using TPRM solutions.
It is possible to increase supply chain security and implement better third-party security best practice. However, the solutions must show a greater appreciation for third-party vendors and how it impacts the communication with our digital assets. To implement zero trust, we need to have a better understanding about integrations at all points, or at least multiple points, in order to be able to properly integrate them.
As third-party SaaS applications become more important, it is time for third-party vendor risk assessments to include security controls as well as how we interact with third-party vendors. This does not diminish the value of TPRM solutions. They are still one of the best ways to manage supply chain security. Nevertheless, this does not mean that we can ignore the limitations. It is important to recognize that this supply chain protection is ongoing and needs more continuous attention. The expansion of third-party security risks factoring can help to improve the effectiveness of TPRM.
The more data we have to offer the risk scoring process, the more engaged we will be in monitoring, tracking and governing third party integrations into enterprise networks. Although it may seem idealistic, this would likely increase the accuracy of TPRM results as well as CISO confidence in TPRM reliability.