Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/28/2019
10:30 AM
Brandon Dobrec
Brandon Dobrec
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
0%
100%

Everything I Needed to Know About Third-Party Risk Management, I Learned from Meet the Parents

How much do you trust your vendors? You don't have to hook them up to a polygraph machine because there are better ways to establish trust.

Companies are increasingly dependent upon third parties to support key factors of their operations — from accounting or HR functions to building maintenance and landscaping. However, these relationships can also expose companies to cybersecurity risks based on the cybersecurity posture of the third parties. According to the Ponemon Institute, 56% of organizations have experienced a data breach caused by a third-party vendor, and 42% have suffered a data breach caused by an attack on one of their third parties.

In thinking about the third-party risk management, I realized that one popular movie series — the Meet the Parents series, starring Robert De Niro and Ben Stiller — teaches us some valuable lessons.

Establish Your "Circle of Trust"
While in Meet the Parents the Circle of Trust referred to specific people, a company's Circle of Trust should actually be constructed of multiple factors — and potentially multiple circles. This goes far beyond simply signing contracts with cybersecurity language; it involves continuous steps to ensure your partner is actually doing what they say they are (more about that below).

Specific focus areas for establishing your Third-Party Circle of Trust include: identifying the data/systems to which specific third parties will need access, establishing acceptable levels of cyber-risk that your company is willing to accept, determining the partners' cybersecurity practices/enforcement, and setting a baseline for continuous partner monitoring.

Trust in Processes, but Verify Continuously
In the first movie, De Niro's character, Jack Byrnes, subjects his daughter's fiancée, Greg Focker (played by Stiller) to an over-the-top polygraph test. The funny scene ultimately shows the counterproductive reliance on one-time audits or assessments of third-party partners: Summoning partners to periodic questionnaires, interviews, audits, or other scrutiny might look intimidating, but the movie shows us that for all its good intentions, you can't rely on these traditional methods for fully mitigating cyber-risks (even if your interview questions are much less awkward!). 

We're seeing an encouraging shift within contract negotiations that is bringing cybersecurity into the discussion earlier and bringing lengthy, security-focused addendums to these contracts. While adding cybersecurity to the contract is a good step, it is critical for vendors to follow through on these contracts to verify that the partner is complying with the agreed-upon cybersecurity requirements.

I'm Watching You
After determining that a third-party vendor has acceptable-or-better cybersecurity policies and practices and establishing a relationship, it is incumbent upon you to reinforce protection through continuous monitoring. While you do not need to be quite as invasive as De Niro's Byrnes, you should have eyes on your partners 24/7/365 with technologies sending real-time alerts if something is amiss.

Even (Over)protective Security Pros Seldom Make the Final Decision
The humor of the Meet the Parents franchise is that when two people meet and fall in love, it's the integrity, compassion, and relationship between them that matters most — yet parents, friends, and other "advisers" tend to exert a lot of advice. This is well intended (we all love to have people we can trust to look out on our behalf or confide in), but again, it can be counterproductive when advice is subjective and poorly reasoned and, frankly, is ultimately a decision outside their purview.

The nature of business partnerships is different from personal relationships, but both hinge on trust, transparency and an embracing an opportunity for both parties, together. No one can ever seriously promise that bad things will not happen, but if the integrity and shared stakes truly matter, all sides do their part to realize the benefits. This is where security pros need to play the role of the "grounded friend" or "loving parents" we all trust.

Lessons Learned
As cyber-risk managers, we should anticipate the factors framing a prospective business relationship, respectfully speak up about the risks that exist, be available for in-depth conversations, and do our duty to make sure the right questions and variables are being asked and weighed, respectively — and then accept that a decision is going to be made whether we agree, or not.

No one needs a "Jack Byrnes" flying around the world to polygraph suppliers. A better strategy is to embed cyber-risk conversations deeper in every part of the third-party partner life cycle, so that security pros feel empowered enough not to overreach — and executive "suitors" can be armed with the facts and leeway necessary to manage their relationships.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Brandon Dobrec has dedicated his career to cybersecurity, particularly to delivering the comprehensive threat data, intelligence, and tools required for organizations to minimize their business risk. Since joining LookingGlass in September 2016, Brandon has served as an ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
StephenGiderson
50%
50%
StephenGiderson,
User Rank: Strategist
4/26/2019 | 1:14:16 AM
Take what's good
It is actually not a bad idea afterall to bingewatch certain movies. Some of them have really useful plots that we can all learn from and apply into our daily lives. Sometimes, it is not just about entertainment but it is also about extracting the good in them.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 4/7/2020
The Coronavirus & Cybersecurity: 3 Areas of Exploitation
Robert R. Ackerman Jr., Founder & Managing Director, Allegis Capital,  4/7/2020
'Unkillable' Android Malware App Continues to Infect Devices Worldwide
Jai Vijayan, Contributing Writer,  4/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-1633
PUBLISHED: 2020-04-09
Due to a new NDP proxy feature for EVPN leaf nodes introduced in Junos OS 17.4, crafted NDPv6 packets could transit a Junos device configured as a Broadband Network Gateway (BNG) and reach the EVPN leaf node, causing a stale MAC address entry. This could cause legitimate traffic to be discarded, le...
CVE-2020-8834
PUBLISHED: 2020-04-09
KVM in the Linux kernel on Power8 processors has a conflicting use of HSTATE_HOST_R1 to store r1 state in kvmppc_hv_entry plus in kvmppc__tm, leading to a stack corruption. Because of this, an attacker with the ability run code in kernel space of a guest VM can cause the host kernel to...
CVE-2020-11668
PUBLISHED: 2020-04-09
In the Linux kernel before 5.6.1, drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink camera USB driver) mishandles invalid descriptors, aka CID-a246b4d54770.
CVE-2020-8961
PUBLISHED: 2020-04-09
An issue was discovered in Avira Free-Antivirus before 15.0.2004.1825. The Self-Protection feature does not prohibit a write operation from an external process. Thus, code injection can be used to turn off this feature. After that, one can construct an event that will modify a file at a specific loc...
CVE-2020-7922
PUBLISHED: 2020-04-09
X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the Operator to generate their X.509 certificates are u...