Key Strategies for CISOs to Effectively Address Third-Party Risks


The methods used to evaluate and manage third-party risks currently are inefficient and time-consuming. In order to address business exposure, CISOs need to adopt new principles.

IT and security leaders must involve stakeholders to develop a policy, identify threats, and promote predetermined mitigations in order to address exposure to third-party cyber threats.

CISOs should be more forthright about their expectations from third parties, and this should include the minimal controls and standards necessary to safeguard the business from unacceptable risks rather than encouraging the termination of third partners.

Determine Third-Party Risk Scope and Policy

It is impossible to manage third-party cyber risk in isolation. To be successful, business leadership, legal counsel, supply chain, procurement, and other key stakeholders must be involved to set expectations and enforce standards.

Security leaders can start by determining the range of the third parties that the company interacts with. Supply chain partners, customers, business partners, and even regulators may fall under this category, in addition to IT suppliers and vendors that function on the network.

Identifying low-risk and high-risk third-party engagements is the second phase. Choosing which cybersecurity risks the company is ready to accept should be a joint effort with the board of directors or the risk committee.

Also Read: Privileged Access Management helps prevent the cyberattacks cycle

The next step for CISOs is to set non-negotiables or minimum requirements based on risk scenarios. These guidelines may be distributed both internally and externally, made public on external-facing sites, included in procurement engagement requests, and in third-party codes of conduct.

To tie everything together, a robust policy for third-party risk should be documented. This outlines the expectations, the categories of third parties that deserve examination, and how their skills will be evaluated for business, IT, procurement, and stakeholders.

Adopt a Triage Strategy 

The evaluation of third-party security capability is required by many regulations. However, asking suppliers about their security procedures does not ensure that the controls are enforced consistently, that they won’t fail, or that they are fool proof. Additionally, it makes CISOs spend a lot of time doing analysis rather than addressing issues.

Most regulations demand that the analysis be proportionate to the gravity of the threat posed by the third party. CISOs can do the proper level of analysis to identify related activities with the help of a triage strategy.

Each party may take into account the following:

  • Do they have access to, store, or handle customer or sensitive data?
  • Do they physically or virtually access the company’s technology network?

Security checks might not be necessary if the answers to these questions are negative. The next step is to decide what mitigations are required if the response to either or both questions is yes.

However, a third party that is storing sensitive business data but not consumer information and does not have access to systems may fall into the “medium” category and call for a passive perimeter scan, possibly employing a security rating service.

Encouraging stakeholders to include these checks in their interactions with third parties is also crucial.

For example, procurement can specify evaluation criteria in engagement requests to screen higher-risk third parties before evaluating their functional capabilities. For specific situations, such as certification reports, notification of breaches, requirements for encryption standards, and remediation of control gaps, legal can include contractual clauses.

These steps help in integrating external cybersecurity safeguards into the business processes of the enterprise.

Create Predetermined Actions against Third-Party Risks

Despite substantial investment in third-party risk measurement, the majority of assessments yield no action. There is usually a disconnect between the ability of the CISO to communicate actions the organization can take and the analysis findings.

By offering practical solutions to the company, a specified set of activities can assist CISOs in mitigating common third-party risk scenarios. They must compile a list of potential threats and countermeasures and add to it over time.

Also Read: Cybersecurity in 2023: Top Three Predictions

Implement a Monitoring and Reporting Strategy

Monitoring and reporting of third-party needs to be an ongoing process. Many CISOs already track some threats from third parties, like those from IT vendors. However, CISOs shouldn’t be held as the only ones fully responsible for this activity. Using a mix of services, governance, and third-party self-reporting is a best practice.

CISOs must put a plan in place for monitoring third-party risks by dedicating resources to manage the cyber-risk register, respond to shifting risk factors and disclose concerns to key stakeholders.

For more such updates follow us on Google News ITsecuritywire News. Please subscribe to our Newsletter for more updates.