Gregory C. Rasner - Cybersecurity and Third-Party Risk

Third‐party risk (or supply‐chain security) are not new disciplines, and there have been frameworks, regulatory directives, professional certifications, and organizations that all attest to its maturity. Cybersecurity could be considered more mature, since it has been around in some form since computing came of age in the 1970s. Nowadays, it's even more complex in terms of frameworks, disciplines, certifications, regulatory guidance and directives, and avenues of study. Why do the surveys, time after time, indicate that well over 50 percent of organizations do not perform any type of Third‐Party Risk Management (TPRM), and even fewer have anything other than an ad hoc cybersecurity due diligence program for vendors? Reasons for this lack of attention and collaboration can be found in hundreds, if not thousands, of breaches and security incidents that were the result of poor third‐party oversight and a lack of any due diligence and due care for the vendors' cybersecurity.

This book is designed to provide a detailed look into the problems and risks, then give specific examples of how to create a robust and active Cybersecurity Third‐Party Risk Management program. It begins by covering the basics of the due diligence processes and the vendor lifecycle, with models and illustrations on how to create these basic but necessary steps. Then it goes more in depth about the next parts in the creation of a mature program: cyber legal language, offshore vendors, connectivity security, software security, and use of a predictive reporting dashboard.

The book is designed to not only help you build a program, but to take an existing program from one of compliance checkbox work to an active threat‐hunting practice. Many programs that do currently exist are designed and run as an obligation to “check a box” for a regulator or an internal auditor. Yet, no one has ever secured their network or data by doing only what the regulators told them to do. Security is an ongoing activity that requires its application in third‐party risk to be equally active and ongoing. Its activities and results should emulate a cyber operations or threat operations team that focuses its efforts on reducing cybersecurity threats externally at the suppliers. Get away from checking boxes and filling out remote questionnaires and take a risk‐based approach that engages your highest risk and/or most critical third parties in conversations to build trust and collaboration to lower risk for both your organization and the vendor.

A superset of cybersecurity, third‐party risk, and executive leadership will benefit the most from reading this book. On the cybersecurity side, analysts to senior leadership will be able to take their information security knowledge and experience to perform the hands‐on work and management of third‐party risk, while third‐party risk professionals will better understand and appreciate the need to include a more robust cybersecurity risk domain. Executive and senior leadership in business who are not focused on cybersecurity or third‐party risk will gain an understanding of the risk, practice, and frameworks, and how to lower their risk for a cybersecurity event at their vendors.

This book is divided into two sections. Section 1, titled “The Basics,” lays the case for the need of a robust and active Cybersecurity Third‐Party Risk Management program as well as the necessary and basic due diligence activities and processes needed. These are not basic as in “simple,” but in terms that they are the foundation necessary to building a mature program, which is covered in Section 2, titled “Next Steps.” This section details what comes next, after you have built the basic foundation. This “Next Steps” section describes cyber legal language, cloud security, software security, connectivity security, offshore vendors, and how to build predictive reporting that focuses on the highest risk vendors.

Chapter 1opens with a detailed description of risk by using examples of the SolarWinds and other supply‐chain attacks, which happened in late 2020, as prime examples of how the threat actors have evolved both in their identity and tactics. Examples are also provided in a long list of companies who have lost their data due to a vendor that did not take due care with their data. Chapter 2provides some basics on cybersecurity. This book does not require the reader to be a cybersecurity or third‐party risk expert, but it does require that a few concepts are defined and frameworks are covered for both topics to ensure all readers are at a set level. Chapter 3delves into how the COVID‐19 pandemic affected the security landscape and how quickly the attackers adapted to new opportunities. What happens when the pandemic is over and how it will change behaviors and business in ways that will become the new normal will mean a continued increase in cybercriminal activity.

Chapter 4is an in‐depth look at Third‐Party Risk Management (TPRM) and is included to provide a set level for the readers as well as to tie the cybersecurity and TPRM concepts together, as both domains are aimed at identifying and managing risk. Chapters 5through 9cover the vendor lifecycle of intake, ongoing security, and offboarding due diligence activities Chapter 5reviews the activities and requirements for vetting and performing security assessments of new vendors or services from existing suppliers. Chapter 6describes ongoing cybersecurity due diligence activities such as remote assessments. Chapter 7is then devoted to the important complex topic of on‐site assessments, which are essential due diligence processes for the physical validation of security controls at a vendor site and the gold standard for assurance.

Chapter 8covers the Continuous Monitoring (CM) program and how it is a crucial security control for vendors for the times in between the point‐in‐time assessments. Building a robust CM program means taking a set of tools and internal data to engage vendors on potential real threats that they may be unaware of and reducing risk collaboratively. Chapter 9, the last chapter on the vendor lifecycle, discusses offboarding. Many firms overlook this part of the lifecycle, so this chapter covers the critical steps and due diligence that must be done to ensure there's no risk to the data or connectivity from a vendor.

Section 2 begins with Chapter 10, which discusses the large topic of the cloud. The shared responsibility model is discussed and how it affects the security controls that your vendor is responsible for and what they have outsourced to the Cloud Service Provider (CSP). Cybersecurity, offshore vendors, cloud and privacy legal language and process is covered in Chapter 11; and then Chapter 12details in depth the possible ways to test and perform due diligence on third‐party software. Connectivity to a vendor is a unique risk that opens a whole organization's network and data to an attacker traversing from the vendor or exploiting the hardware they use to connect, and is discussed in Chapter 13. Chapter 14contains details on how to manage offshore vendor risk, while Chapter 15wraps up with ways to take all the data collected with the due diligence and other cybersecurity activities to become more predictive for risks and produce reports.

The notes found sprinkled throughout this book are designed to provide an example or expansion on topics that bring the topic (either in the chapter or the book as a whole) into a real‐world illustration or in‐depth analysis. Tips are added in the book to deliver information to the reader on how to improve a process or activity (or a common pitfall to avoid), while definitions help the reader to understand the concepts involved.