#RSAC: Rethinking Third-Party Risk Management
Todd Inskeep, principal, cyber security strategy with Booz Allen Hamilton, began his RSA Conference 2019 talk with a picture of a three-legged race because it represented the relationship necessary to win. It worked as a perfect metaphor for third-party risk management.
Inskeep said that organizations need to have their own information security program in sync with their third-party vendors’ infosec programs in order to best address risk management.
There are two questions you need to ask to put together an effective risk management assessment. First, how do you demonstrate to other people that you have a good security program? “I think there is some advantage to pushing the idea that I have a good program,” said Inskeep. Rather than forcing someone to answer long questionnaires, he advised telling your vendors your security approach.
The second question is how you manage your third parties and that risk? “Most companies are suppliers and customers, so you have to look in both directions,” he said.
To demonstrate your information security program, build your own shareable document that describes your program that can be distributed by your sales and business teams, he added. It should highlight what you are doing to protect your company.
To manage risk from vendors, Inskeep said there are two types of third-party risks: what you can control and what you can’t, and the only thing you can control is contract liability.
Contracts surrounding risk management shouldn’t be a one-size-fits-all approach. It’s important to capture unique requirements and jurisdiction is going to play an even bigger role, thanks to different breach and privacy laws in every state and country.
Inskeep recommended your security team having relationships with your customers’ security teams. As the cloud and other technologies have us more interconnected, you want to know how your customers’ CISOs operate their security program.
“If you can do a joint exercise to figure out how to respond together in an incident, that’s useful for both parties.”
Source: Information Security Magazine