Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/28/2019
10:30 AM
Brandon Dobrec
Brandon Dobrec
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
0%
100%

Everything I Needed to Know About Third-Party Risk Management, I Learned from Meet the Parents

How much do you trust your vendors? You don't have to hook them up to a polygraph machine because there are better ways to establish trust.

Companies are increasingly dependent upon third parties to support key factors of their operations — from accounting or HR functions to building maintenance and landscaping. However, these relationships can also expose companies to cybersecurity risks based on the cybersecurity posture of the third parties. According to the Ponemon Institute, 56% of organizations have experienced a data breach caused by a third-party vendor, and 42% have suffered a data breach caused by an attack on one of their third parties.

In thinking about the third-party risk management, I realized that one popular movie series — the Meet the Parents series, starring Robert De Niro and Ben Stiller — teaches us some valuable lessons.

Establish Your "Circle of Trust"
While in Meet the Parents the Circle of Trust referred to specific people, a company's Circle of Trust should actually be constructed of multiple factors — and potentially multiple circles. This goes far beyond simply signing contracts with cybersecurity language; it involves continuous steps to ensure your partner is actually doing what they say they are (more about that below).

Specific focus areas for establishing your Third-Party Circle of Trust include: identifying the data/systems to which specific third parties will need access, establishing acceptable levels of cyber-risk that your company is willing to accept, determining the partners' cybersecurity practices/enforcement, and setting a baseline for continuous partner monitoring.

Trust in Processes, but Verify Continuously
In the first movie, De Niro's character, Jack Byrnes, subjects his daughter's fiancée, Greg Focker (played by Stiller) to an over-the-top polygraph test. The funny scene ultimately shows the counterproductive reliance on one-time audits or assessments of third-party partners: Summoning partners to periodic questionnaires, interviews, audits, or other scrutiny might look intimidating, but the movie shows us that for all its good intentions, you can't rely on these traditional methods for fully mitigating cyber-risks (even if your interview questions are much less awkward!). 

We're seeing an encouraging shift within contract negotiations that is bringing cybersecurity into the discussion earlier and bringing lengthy, security-focused addendums to these contracts. While adding cybersecurity to the contract is a good step, it is critical for vendors to follow through on these contracts to verify that the partner is complying with the agreed-upon cybersecurity requirements.

I'm Watching You
After determining that a third-party vendor has acceptable-or-better cybersecurity policies and practices and establishing a relationship, it is incumbent upon you to reinforce protection through continuous monitoring. While you do not need to be quite as invasive as De Niro's Byrnes, you should have eyes on your partners 24/7/365 with technologies sending real-time alerts if something is amiss.

Even (Over)protective Security Pros Seldom Make the Final Decision
The humor of the Meet the Parents franchise is that when two people meet and fall in love, it's the integrity, compassion, and relationship between them that matters most — yet parents, friends, and other "advisers" tend to exert a lot of advice. This is well intended (we all love to have people we can trust to look out on our behalf or confide in), but again, it can be counterproductive when advice is subjective and poorly reasoned and, frankly, is ultimately a decision outside their purview.

The nature of business partnerships is different from personal relationships, but both hinge on trust, transparency and an embracing an opportunity for both parties, together. No one can ever seriously promise that bad things will not happen, but if the integrity and shared stakes truly matter, all sides do their part to realize the benefits. This is where security pros need to play the role of the "grounded friend" or "loving parents" we all trust.

Lessons Learned
As cyber-risk managers, we should anticipate the factors framing a prospective business relationship, respectfully speak up about the risks that exist, be available for in-depth conversations, and do our duty to make sure the right questions and variables are being asked and weighed, respectively — and then accept that a decision is going to be made whether we agree, or not.

No one needs a "Jack Byrnes" flying around the world to polygraph suppliers. A better strategy is to embed cyber-risk conversations deeper in every part of the third-party partner life cycle, so that security pros feel empowered enough not to overreach — and executive "suitors" can be armed with the facts and leeway necessary to manage their relationships.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Brandon Dobrec has dedicated his career to cybersecurity, particularly to delivering the comprehensive threat data, intelligence, and tools required for organizations to minimize their business risk. Since joining LookingGlass in September 2016, Brandon has served as an ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
StephenGiderson
50%
50%
StephenGiderson,
User Rank: Strategist
4/26/2019 | 1:14:16 AM
Take what's good
It is actually not a bad idea afterall to bingewatch certain movies. Some of them have really useful plots that we can all learn from and apply into our daily lives. Sometimes, it is not just about entertainment but it is also about extracting the good in them.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: He still insists that security by obscurity is the way to go.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9681
PUBLISHED: 2019-09-17
Online upgrade information in some firmware packages of Dahua products is not encrypted. Attackers can obtain this information by analyzing firmware packages by specific means. Affected products include: IPC-HDW1X2X,IPC-HFW1X2X,IPC-HDW2X2X,IPC-HFW2X2X,IPC-HDW4X2X,IPC-HFW4X2X,IPC-HDBW4X2X,IPC-HDW5X2X...
CVE-2019-9009
PUBLISHED: 2019-09-17
An issue was discovered in 3S-Smart CODESYS before 3.5.15.0 . Crafted network packets cause the Control Runtime to crash.
CVE-2018-20336
PUBLISHED: 2019-09-17
An issue was discovered in Asuswrt-Merlin 384.6. There is a stack-based buffer overflow issue in parse_req_queries function in wanduck.c via a long string over UDP, which may lead to an information leak.
CVE-2019-12755
PUBLISHED: 2019-09-17
Norton Password Manager, prior to 6.5.0.2104, may be susceptible to an information disclosure issue, which is a type of vulnerability whereby there is an unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information.
CVE-2019-14826
PUBLISHED: 2019-09-17
A flaw was found in FreeIPA versions 4.5.0 and later. Session cookies were retained in the cache after logout. An attacker could abuse this flaw if they obtain previously valid session cookies and can use this to gain access to the session.