Identify and Manage Security Risk Impacts on Your Organization

Know where the attacks are coming from so you know where to protect.

Analyst perspective

It is time to start looking at risk realistically and move away from “trust but verify” toward zero trust.

Frank Sewell,
Research Director, Vendor Management
Info-Tech Research Group

We are inundated with a barrage of news about security incidents on what seems like a daily basis. In such an environment, it is easy to forget that there are ways to help prevent such things from happening and that they have actual costs if we relax our diligence.

Most people are aware of defense strategies that help keep their organization safe from direct attack and inside threats. Likewise, they expect their trusted partners to perform the same diligence. Unfortunately, as more organizations use cloud service vendors, the risks with n-party vendors are increasing.

Over the last few years, we have learned the harsh lesson that downstream attacks affect more businesses than we ever expected as suppliers, manufacturers of base goods and materials, and rising transportation costs affect the global economy.

“Trust but verify” – while a good concept – should give way to the more effective zero-trust model in favor of knowing it’s not a matter of if an incident happens but when.

Executive Summary

Info-Tech Insight
Organizations must evolve their security risk assessments to be more adaptive to respond to global changes in the market. Ongoing monitoring of third-party vendor risks and holding those vendors accountable throughout the vendor lifecycle are critical to preventing disastrous impacts.

Info-Tech’s multi-blueprint series on vendor risk assessment

There are many individual components of vendor risk beyond cybersecurity.

This series will focus on the individual components of vendor risk and how vendor management practices can facilitate organizations’ understanding of those risks.

Out of Scope:
This series will not tackle risk governance, determining overall risk tolerance and appetite, or quantifying inherent risk.

Security risk impacts

Potential losses to the organization due to security incidents

• In this blueprint we’ll explore security risks, particularly from third-party vendors, and their impacts.
• Identify potentially disruptive events to assess the overall impact on organizations and implement adaptive measures to correct security plans.

The world is constantly changing

The IT market is constantly reacting to global influences. By anticipating changes, leaders can set expectations and work with their vendors to accommodate them.

When the unexpected happens, being able to adapt quickly to new priorities ensures continued long-term business success.

Below are some things no one expected to happen in the last few years:

Identify and manage security risk impacts on your organization

Due diligence will enable successful outcomes.

What is third-party risk?

Third-Party Vendor: Anyone who provides goods or services to a company or individual in exchange for payment transacted with electronic instructions (Law Insider).

Third-Party Risk: The potential threat presented to organizations’ employee and customer data, financial information, and operations from the organization’s supply chain and other outside parties that provide products and/or services and have access to privileged systems (Awake Security).

It is essential to know not only who your vendors are but also who their vendors are (n-party vendors). Organizations often overlook that their vendors rely on others to support their business, and those layers can add risk to your organization.

Identify and manage security risks

Global Pandemic

Very few people could have predicted that a global pandemic would interrupt business on the scale experienced today. Organizations should look at their lessons learned and incorporate adaptable preparations into their security planning and ongoing monitoring moving forward.

Vendor Breaches

The IT market is an ever-shifting environment; more organizations are relying on cloud service vendors, staff augmentation, and other outside resources. Organizations should hold these vendors (and their downstream vendors) to the same levels of security and standards of conduct that they hold their internal resources.

Resource Shortages

A lack of resources is often overlooked, but it’s easily recognized as a reason for a security incident. All too often, companies are unwilling to dedicate resources to their vendors’ security risk assessment and ongoing monitoring needs. Only once an incident occurs do companies decide it is time to reprioritize.

What to look for in vendors

Identify information security risk impacts

• In the due diligence phase of the relationship, make sure to look for articles on the vendor that would indicate it has been part of any:
  • Lawsuit
  • Regulatory penalty
  • Security incident
  • Data breach
• When the vendor returns your organization’s security risk assessment document, look for suspicious statements or missing information that was requested.
  • Be sure to have your IT and InfoSec groups review the document and have a formal follow-up call with the vendor to ensure that its answers are correct and to raise any questions about security items that may not match the expectations from the product description.
• Be sure to request the vendor’s vendor relationships and map any dependencies that may affect your organization.
  • Often vendors grant access to other vendors, and those vendors may gain access to your data in that manner.

An ideal situation

This organization has a robust vendor management practice that is intricately tied into its Security and Risk management groups.

• Vendors are identified, categorized, and classified according to risk and value to the business.
• Vendor n-party relationships are mapped and updated regularly.
• Contracts are in place with appropriate protections with all vendors.
• The security and cyber risk assessment is updated and reviewed regularly.
• Security validation and ongoing monitoring are in place.
• Vendor managers, security risk management, and risk managers work together to make sure that the organizational processes and policies are enforced.

High potential for risk impacts

This organization has very little vendor management, and the individual groups tend to be siloed in their actions and information sharing.

• Vendor contracts are inconsistent.
• Vendor relationships are not mapped; most are simply unknown.
• IT security risk assessments are either stale or nonexistent, and vendors mainly fill out a questionnaire.
• Existing vendor practices are not actively monitored or reviewed, and the company units are mainly reactionary regarding security concerns.
• Departments are often unaware of the requirements of other departments in the organization, and steps are often missed.
  • Information security risk management informally competes with other priorities for resources in the organization.

Low potential for risk impacts

This is a typical organization that has some good vendor management tied into its security team but lacks the resources to fully optimize its risk management program.

• Vendors are identified, categorized, and classified according to risk and value to the business.
• Security assesses vendors and reviews the security of prioritized vendors at time of renewal.
• Ongoing monitoring is limited but is in place. Mapping to n-party vendors is also limited, if in place at all.
• Vendor contracts are in place, are reviewed prior to renewals, and have appropriate protections.
• Vendor managers, security, and risk managers work together to make sure that the organizational processes and policies are enforced.
  • Cybersecurity risk management is a priority for the organization, and resources work together to ensure the organization’s safety.

Security risks

Not monitoring your vendors can cause major long-term impacts.

• Supply chain disruptions and global shortages
  • Geopolitical disruptions and natural disasters have caused unprecedented interruptions to business. Incorporate business continuity planning into your security risk assessments and develop ongoing monitoring and validation of risk assessment items in your organizational resource planning.
• Software incidents
  • Many organizations’ supply chains that were affected by the SolarWinds incident in December 2020 are still identifying and trying to manage the impacts.
• Vendor breaches
  • Looking at your immediate vendors and performing a one-time risk assessment is not enough. Instead, it would be best to look at the vendors they use to fulfill their business functions and protect your interests accordingly – starting with contractual clauses that address these concerns.

It is equally as important to identify potential security risks from n-party vendors as it is to implement ongoing monitoring of those risks in an ever-changing global environment.

Info-Tech Insight
Many organizations are now performing initial security assessments, but it is still rare to see ongoing monitoring or periodic validation of the initial security questionnaire.

Prepare your third-party vendor risk management for success

Due diligence will enable successful outcomes

Contracts

Protect yourself at all stages of the vendor lifecycle with appropriate language to limit potential impacts on your organization.

Security

Review the current state but plan for ongoing assessment.

Use services to monitor breaches and incidents related to the vendor and its support vendors.

Compliance

Understand all the regulatory requirements the vendor may be subject to and check for any prior fines or penalties.

Financial Assessment

Review the vendor’s capacity to support your organization as well as the vendor’s overall finances.

How to assess third-party security risk

Adapted from Harvard Law School Forum on Corporate Governance

Insight summary

It is not enough to solely assess and monitor your direct vendors.

Many incidents are coming from third- and n-party vendors that have poorly mapped relationships to your organization.

Understanding the complete vendor landscape and protecting your organization accordingly is key to avoiding costly security incidents.

Identifying third-party vendor risk

Who should be included in the discussion

• While it is true that executive-level leadership defines the strategy for an organization, it is vital for those making decisions to make informed decisions.
• Getting input from operational experts at your organization will enhance your business’ long-term potential for success.
• Involving those who directly manage vendors and understand the market will aid operational experts in determining the forward path for relationships with your current vendors and identifying emerging potential strategic partners.
• Make sure Security, Risk, and Compliance are all at the table. These departments all look at risk from different angles for the business and give valuable insight collectively.

Review your security risk assessments for new risks and evolving likelihood on a regular basis.

Keep in mind Risk = Likelihood x Impact (R=L*I).

Impact (I) tends to remain the same, while Likelihood (L) is a very flexible variable.

See the blueprint Build an IT Risk Management Program

Managing vendor security risk impacts

What can we realistically do about the risks?

• Review your and your vendors’ business continuity plans and disaster recovery testing – especially for critical vendors.
• Institute proper contract lifecycle management.
  • Start at the beginning to include proper protections from vendors, their subcontractors, and any downstream liabilities.
• Re-evaluate corporate policies frequently.
• Develop IT governance and change control.
• Ensure security addendums in contracts.
• Introduce continual risk assessment to monitor the relevant vendor markets.
  • Regularly review your risk assessment documents for new risks and evolving likelihoods.
• Be adaptable and allow for innovations that arise from the current needs.
  • Capture lessons learned from prior incidents to improve over time, and adjust your strategy based on the lessons.

Organizations must review their risk assessment documentation, considering the likelihood of incidents in the global market.

Pandemics, data breaches, ransomware, and wars that affect global supply chains are current realities, not unlikely scenarios.

Ongoing improvement

Incorporating lessons learned

• Over time, despite everyone’s best observations and plans, incidents catch us off guard.
• When it happens, follow your incident response plans and act accordingly.
• An essential step is to document what worked and what did not – collectively known as the “lessons learned.”
• Use the lessons learned document to devise, incorporate, and enact a better risk management process.

Sometimes disasters occur despite our best plans to manage them.

When this happens, it is important to document the lessons learned and improve our plans going forward.

The “what if” game

1-3 hours

Vendor management professionals are in an excellent position to help senior leadership identify and pull together resources across the organization to determine potential risks. By playing the "what if" game and asking probing questions to draw out – or eliminate – possible adverse outcomes, everyone involved adds their insight into parts of the organization to gather a comprehensive picture of potential impacts.

1. Break into smaller groups (or if too small, continue as a single group).
2. Use the Security Risk Impact Tool to prompt discussion on potential risks. Keep this discussion flowing organically to explore all potentials but manage the overall process to keep the discussion pertinent and on track.
3. Collect the outputs and ask the subject matter experts (SMEs) for management options for each one in order to present a comprehensive risk strategy. You will use this to educate senior leadership so that they can make an informed decision to accept or reject the solution.

Download the Security Risk Impact Tool

High-risk example from Security Risk Impact Tool

This vendor supports a hospital's legacy electronic medical records (EMR) system during a transition to a new implementation. The vendor seems to be secure at this point despite having had issues in the past, but it is known that it has a lot of n-party vendors across the globe.

Low-risk example from Security Risk Impact Tool

This local support vendor services an on-premises application that is business critical. Security has role-based access and activity monitoring. Several scores have been re-weighted to reflect that the business requires all vendors have a negotiated contract and due diligence is performed.

Summary

Be vigilant and adaptable to change

• Organizations need to be realistic about the likelihood of potential risks in the changing global environment.
• Organizations that incorporate proactive risk management processes can prepare for greater success.
• Bring the right people to the table to outline potential risks in the market.
• Socialize the third-party vendor risk management process throughout the organization to heighten awareness and enable employees to help protect the organization.
• Incorporate lessons learned from incidents into your risk management process to build better plans for future issues.

Organizations must evolve their risk assessments to be more meaningful to respond to global changes in the market.

Ongoing monitoring of all associated vendors and those that support them is critical to successfully securing your environment.

Related Info-Tech Research

Identify and Manage Financial Risk Impacts on Your Organization

• Vendor management practices educate organizations on the different potential financial impacts that vendors may incur and suggest systems to help manage them.
• Prioritize and classify your vendors with quantifiable, standardized rankings.
• Prioritize focus on your high-risk vendors.
• Standardize your processes for identifying and monitoring vendor risks to manage financial impacts with our Financial Risk Impact Tool.

Identify and Manage Strategic Risk Impacts on Your Organization

• Vendor management practices educate organizations on the different potential risks to vendors in your market and suggest creative and alternative ways to avoid and help manage them.
• Prioritize and classify your vendors with quantifiable, standardized rankings.
• Prioritize focus on your high-risk vendors.
• Standardize your processes for identifying and monitoring vendor risks to manage potential impacts on your strategic plan with our Strategic Risk Impact Tool.

Research Contributors and Experts

• Frank Sewell
  Research Director, Info-Tech Research Group
• Steven Jeffery
  Principal Research Director, Info-Tech Research Group
• Scott Bickley
  Practice Lead, Info-Tech Research Group
• Donna Glidden
  Research Director, Info-Tech Research Group
• Phil Bode
  Principal Research Director, Info-Tech Research Group
• Kate Wood
  Practice Lead, Info-Tech Research Group

Bibliography

“Cybersecurity only the tip of the iceberg for third-party risk management.” Help Net Security, 21 April 2021. Accessed 29 July 2022.

“The Future of TPRM: Third Party Risk Management Predictions for 2022.” OneTrust, 20 December 2021. Accessed 29 July 2022.

“Third-Party Risk Management (TPRM) Managed Services.” Deloitte, 2022. Accessed 29 July 2022.

“Third Party Vendor definition.” Law Insider, n.d. Accessed 29 July 2022.

“Third Party Risk.” Awake Security, n.d. Accessed 29 July 2022.

Tonello, Matteo. “Strategic Risk Management: A Primer for Directors.” Harvard Law School Forum on Corporate Governance, 23 Aug. 2012.