Cyber CEO: 3 Key Components for Resilient Third Party Risk Management

April 26, 2021

Third-party risk is a hot topic in the world of cybersecurity. The recent SolarWinds breach was a tough reminder that technological advancement will always carry inherent risks. In the wake of the pandemic, we continue to see rapid digital transformation – including big changes to the way enterprises require and engage third parties.

I joined Art Coviello, board member at SecZetta Inc.  (former CEO of RSA Security) for a virtual fireside chat last week to chat about third-party risk. One thing is certain:  it’s more difficult than ever to define and identify third parties and you can’t protect your enterprise against something you can’t identify!

Before the pandemic, the typical network security perimeter made it easy to differentiate between our teams and external groups. Today, the way we give access to our employees is generally the same way we give access to third parties. Without a mature security program,  this can lead to some messy and sometimes catastrophic situations.

Commerce is now advancing at a speed that makes it extremely difficult for infosec professionals to keep up. Gartner’s Third-Party Risk Management Framework puts it best – “Leaders find themselves in the middle of what feels like an unwinnable war: one that demands risk oversight while maintaining speed.”

So where does that leave us? How can we face what feels like “an unwinnable war” between security and effective business operations? Believe it or not – I don’t think the two need to be at odds as we move forward. I truly believe there’s a way to balance both in a way that is mutually beneficial. Imagine that – a world where strong cybersecurity enables business and third-party engagement. As Art and I discussed in depth – it comes down to prioritizing 3 essential pieces.

 

Identity Governance

Before 2020, the general enterprise attitude toward Identity Governance was “we have time to figure it out.” Then COVID-19 hit. Cloud-based work and online accessibility are now essential – and it’s not just internal teams that need to be able to access your network. Clients, vendors, and partners require it, too. Identity Governance allows your cybersecurity team to decide who has access to what and when – a critical capability when you have internal and external parties requiring access to different parts of your enterprise network! A third-party vendor doesn’t need the same access as your business development team. The importance of a strong Identity Governance program is more critical than ever.

That being said, developing a solid Identity Governance strategy is no small feat. Laying a firm foundation that sets you and your team up for success is key. It’s a planning process of defining roles and endpoints, tactically rolling out tools and processes, and building the architecture to maintain and improve moving forward.

A good Identity Governance program will allow you to:

  • Identify and define who your internal and external users are
  • Authenticate their identity
  • Understand what they are doing with the access they have

 

Privileged Access Management

Privileged Access Management (PAM) takes Identity Governance one step further. Identifying endpoint users is a great starting point. Next, you’ve got to monitor and maintain those that have privileged access. PAM includes using tools and expertise to analyze third-party behavior and detect any unusual conduct. Negligent PAM has led to some of the worst cyber-breaches in the past decade. Think back to the 2019 Capital One breach. A former employee of a third-party vendor was able to hack in and gain access to 100 million credit card applications and accounts. To this day, it remains one of the biggest data breaches in history.

PAM also includes making sure former employees, vendors, or collaborators no longer have privileged access. Develop a process starting with your Legal and Compliance teams to ensure the right privileged access is given and only for the necessary amount of time. The process should include a thorough assessment of all potential third-party vendor cybersecurity. When engaging a third party, ask questions and look for indicators of best cybersecurity practices that align with yours. Streamlining this due diligence frees your security team to focus on critical risks.

An effective PAM program will allow you to:

  • Identify unusual end-user behavior that could signify malicious activity
  • Give necessary privileged access to internal and external parties
  • Systematically de-provision those who don’t require privileged access

Privileged Access Management is a tedious but significant task that is often overlooked. Don’t let it become your enterprise’s Achilles heel.

 

Board and Executive Team Buy-In

You can’t properly invest in and roll out a comprehensive Identity Governance and Privileged Access Management program without support from your board and leadership team. While most know that cybersecurity is important, it’s often seen purely as an IT or technology issue, leading teams to underestimate the cybersecurity investment and programs needed for the right coverage.

I know what you’re thinking - I’m biased. But from my experience cybersecurity is one of the greatest business enablers. Cybercrime is the biggest threat to businesses today. And when a company is breached, the consequences don’t just fall on the IT department. The average cost of a cyber breach is $3.86 million. Along with operational and reputational damage, the results can be devastating for an enterprise. Securing your organization is securing your team, revenue, trajectory for growth, and reputation.

 

At the end of the day, the way we engage third parties needs to adjust with the times. While this may feel like a daunting task, the hardest part is knowing where to start. So here is your blueprint! Start with Identity Governance, Privileged Access Management, and garnering Board and Executive Team Buy-In.

Shift your language from technical to commercial to best convey the business enabling benefits of cybersecurity. Your board and leadership team will thank you!

To Your Success, 

I’ve been in infosec for over 30 years and have had the great privilege of evolving and learning as a cybersecurity executive in a space I love. I’m the Founder & CEO of Herjavec Group, one of the world’s most innovative cybersecurity operations leaders. We pride ourselves on keeping enterprises around the world secure from the threat of cybercrime.

This blog has been set up to help me share the insights I’ve gained and experiences I’ve had with all of you…Every month I will post some advice and recommendations for my fellow Cyber CEOs – from current events to forecasted trends, and enterprise security best practices. Make sure to subscribe below and feel free to reach out here with the topics and questions you’d like to see covered!

Let’s collaborate and communicate as we strive to keep our organizations (cyber) safe.

Subscribe below for new issues of Cyber CEO, timely Threat Advisories, and Herjavec Group Thought Leadership 

Take the First Step
In Transforming Your Cybersecurity Program

Enterprise security teams are adapting to meet evolving business needs. With 5 global Security Operations Centers, emerging technology partners and a dedicated team of security specialists, Herjavec Group is well-positioned to be your organization’s trusted advisor in cybersecurity. We’ll help you understand your risk exposure, increase your visibility and ROI, and proactively hunt for the latest threats.

Book a Free Consultation

Stay Informed

Follow us on Twitter
Connect with us on LinkedIn