Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/28/2019
10:30 AM
Brandon Dobrec
Brandon Dobrec
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
0%
100%

Everything I Needed to Know About Third-Party Risk Management, I Learned from Meet the Parents

How much do you trust your vendors? You don't have to hook them up to a polygraph machine because there are better ways to establish trust.

Companies are increasingly dependent upon third parties to support key factors of their operations — from accounting or HR functions to building maintenance and landscaping. However, these relationships can also expose companies to cybersecurity risks based on the cybersecurity posture of the third parties. According to the Ponemon Institute, 56% of organizations have experienced a data breach caused by a third-party vendor, and 42% have suffered a data breach caused by an attack on one of their third parties.

In thinking about the third-party risk management, I realized that one popular movie series — the Meet the Parents series, starring Robert De Niro and Ben Stiller — teaches us some valuable lessons.

Establish Your "Circle of Trust"
While in Meet the Parents the Circle of Trust referred to specific people, a company's Circle of Trust should actually be constructed of multiple factors — and potentially multiple circles. This goes far beyond simply signing contracts with cybersecurity language; it involves continuous steps to ensure your partner is actually doing what they say they are (more about that below).

Specific focus areas for establishing your Third-Party Circle of Trust include: identifying the data/systems to which specific third parties will need access, establishing acceptable levels of cyber-risk that your company is willing to accept, determining the partners' cybersecurity practices/enforcement, and setting a baseline for continuous partner monitoring.

Trust in Processes, but Verify Continuously
In the first movie, De Niro's character, Jack Byrnes, subjects his daughter's fiancée, Greg Focker (played by Stiller) to an over-the-top polygraph test. The funny scene ultimately shows the counterproductive reliance on one-time audits or assessments of third-party partners: Summoning partners to periodic questionnaires, interviews, audits, or other scrutiny might look intimidating, but the movie shows us that for all its good intentions, you can't rely on these traditional methods for fully mitigating cyber-risks (even if your interview questions are much less awkward!). 

We're seeing an encouraging shift within contract negotiations that is bringing cybersecurity into the discussion earlier and bringing lengthy, security-focused addendums to these contracts. While adding cybersecurity to the contract is a good step, it is critical for vendors to follow through on these contracts to verify that the partner is complying with the agreed-upon cybersecurity requirements.

I'm Watching You
After determining that a third-party vendor has acceptable-or-better cybersecurity policies and practices and establishing a relationship, it is incumbent upon you to reinforce protection through continuous monitoring. While you do not need to be quite as invasive as De Niro's Byrnes, you should have eyes on your partners 24/7/365 with technologies sending real-time alerts if something is amiss.

Even (Over)protective Security Pros Seldom Make the Final Decision
The humor of the Meet the Parents franchise is that when two people meet and fall in love, it's the integrity, compassion, and relationship between them that matters most — yet parents, friends, and other "advisers" tend to exert a lot of advice. This is well intended (we all love to have people we can trust to look out on our behalf or confide in), but again, it can be counterproductive when advice is subjective and poorly reasoned and, frankly, is ultimately a decision outside their purview.

The nature of business partnerships is different from personal relationships, but both hinge on trust, transparency and an embracing an opportunity for both parties, together. No one can ever seriously promise that bad things will not happen, but if the integrity and shared stakes truly matter, all sides do their part to realize the benefits. This is where security pros need to play the role of the "grounded friend" or "loving parents" we all trust.

Lessons Learned
As cyber-risk managers, we should anticipate the factors framing a prospective business relationship, respectfully speak up about the risks that exist, be available for in-depth conversations, and do our duty to make sure the right questions and variables are being asked and weighed, respectively — and then accept that a decision is going to be made whether we agree, or not.

No one needs a "Jack Byrnes" flying around the world to polygraph suppliers. A better strategy is to embed cyber-risk conversations deeper in every part of the third-party partner life cycle, so that security pros feel empowered enough not to overreach — and executive "suitors" can be armed with the facts and leeway necessary to manage their relationships.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Brandon Dobrec has dedicated his career to cybersecurity, particularly to delivering the comprehensive threat data, intelligence, and tools required for organizations to minimize their business risk. Since joining LookingGlass in September 2016, Brandon has served as an ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
StephenGiderson
50%
50%
StephenGiderson,
User Rank: Strategist
4/26/2019 | 1:14:16 AM
Take what's good
It is actually not a bad idea afterall to bingewatch certain movies. Some of them have really useful plots that we can all learn from and apply into our daily lives. Sometimes, it is not just about entertainment but it is also about extracting the good in them.
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3154
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
CVE-2019-17190
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
CVE-2014-8161
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
CVE-2014-9481
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
CVE-2015-0241
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...