With the daily reports of large breaches and organization’s increasing dependence on other organizations for technology solutions, there is no question that third party risk management is becoming a topic that must be addressed.
The problem is:
There’s very little clear guidance on what to look for in vendors to be sure they have strong security.
So, I decided to find security leaders in the industry who have experience with mitigating third-party risk and ask them one question:
When implementing a vendor risk management program for an organization, what is the one question that you would ask a potential vendor or service provider to gauge their security posture?
Let me assure you, the insights I received from these 7 security leaders was amazing!
I’ve listed them all below.
Look for awareness training
Miguel Silvestre, CEH – Security, Privacy, and Risk Associate
I think that one of the prevalent issues in risk and security is user awareness training. So if I could ask a potential vendor a question, it would be, “Do you carry out end-user security awareness training and/or assessments and what does it involve?”
What’s your incident response
Mireya Melendez, Manager, Audit & Readiness | Security Engineering Manager | IT Management Professor
What is your most effective strategy to implement in an organization to manage Incident Response and continuously monitor their information security?
How do they handle their third parties?
Adam Gordon, Edutainer & SME | ITPROTV
I counsel my clients to Always Be Prepared, focusing on risk wherever and whenever it may appear.
I would ask how the vendor or service provider applies that philosophy in their operations both internally and externally with their own extended supply chain, and I would want specific/documented examples of the controls/countermeasures and verification mechanisms employed to support the answers.
For instance, do they respond by citing NIST SP-800 161, NIST HB-162, ISO/IEC 27000 and 27001, and the CSA Cloud Controls Matrix as examples of guidance being employed to manage risk.
If the vendor is able to provide a coherent and meaningful response, then I would be interested in a dialogue that may lead to partnership. If, on the other hand, the vendor questions the need to discuss the request and provide honest answers within reason, then I would tell my client that we need to look elsewhere for services.
Look for organized frameworks
Christopher Foulon, Senior Cyber Risk Management Consultant
Has your organization implemented a framework like NIST CSF to ensure that you controls across the different domains and moves from a compliance based approach to utilizing a risk based approach?
Do you know your data flows?
Randall McNeely, President – Cybersecurity Risk and Technology Consultant
How well do you understand the data flows coming into and exiting your network and what are you doing to securely control them? In other words, how well do you understand your attack surface and what are you doing to shrink it to the smallest size possible?
What an amazing collection of useful advice.
Now I want to turn it over to you.
What is your top third-party risk management question for gauging supplier security practices? Let me know by leaving a comment below right now.