Third Party Risk Management Program (TPRM)
As the use of third party partners and vendors rises, and companies look to put Third Party Risk Management Programs (TPRM) in place, there are important aspects that most companies don’t consider. Whether for internal politics or a lack of time and money, these challenges, if gone unaddressed will put a strain on any organization. In fact, these few items are exactly what will cause any well thought out TPRM program to fail, ultimately costing companies time and money.
1. One of the biggest challenges with TPRM programs is the lack of attention on the smaller third party vendors. These vendors don’t get the same scrutiny as the larger enterprise wide revenue driving partnerships. Many of these types of partnerships could be the riskiest of all as they often require an individual or group of people to have access and may outrank more formal partnerships in transactions.
2. Companies that risk rate vendors, rarely take action on risk beyond semi-annual or annual updates to the SIG or whatever methodology they are using to score. Most of the time, the scores are stored and not looked at again until the next review. What if a vendor is breached or a non-employee’s access is compromised, how does an organization remove access today? Or better yet, know who even has access?
3. TPRM programs never take into consideration how companies are going to use RISK information post vendor rating nor do they manage RISK all the way down to the individuals that are being granted access. This is TRUE no matter how large or small the partner is, in fact the business is driving much of the momentum and likely don’t even realize the risk they are putting on the organization.
Thoughts from the Teams Involved…
From a vendor risk perspective, the TPRM team is going to say, who cares? We have protections in our contracts and expectations of how data is being managed by our third parties.
While this may be true, it doesn’t protect the organization when, not if, a vendor is breached, and it does not ensure the organizations IT Security team can react and easily disable non-employee identities from the partner that have access.
The business is going to say… We are going to hire people to get the job done. This is true regardless of the industry:
- In healthcare, organizations need to leverage affiliates, doctors, nurses, med students and contractors.
- In Insurance, agencies, agents and third parties make much of the non-employee population.
- In Finance companies leverage external agents, smaller agencies, contractors, etc.
Each industry has its own set of challenges when it comes to leveraging third party, non-employees.
Last, but not least, the IT Security team who at this point is ultimately responsible for the RISK posed to the organization by anyone who is granted access to potentially sensitive data and/or locations. The problem is with people from outside the organization. These non-employees, are being brought in by people all over the company and with no single department responsible for the standardization of process, systems to manage, or an overall strategy. This is a risky population. See this article to learn more about these challenges.
Once a company brings on an approved vendor, the RISK is still external to the organization. Meaning, until people are brought into the organization and granted access from the partner there is limited risk. Once a vendor is approved however, it is “the wild west” in terms of the business leveraging non-employees from these partners. In fact, now that non-employees are being brought into the business, the RISK is officially being operationalized and if gone unmanaged, could be the riskiest population of individuals a company has to manage (but CAN’T).
The reality is, companies are on a path to become reliant on vendor management and/or third party risk management to protect the organization while not realizing that the RISK has only just begun. The use of risk assessments, contracts and third party risk strategies doesn’t help the information security team properly understand and manage risks (enterprise risk management strategy), as even the most effective assessments can only capture point-in-time data on the vendor, and not a more holistic picture of third parties’ risk from entity to identity. At SecZetta, we call this not Minding the Third Party Gap.
Think about it this way, the best home security system only works when you control and manage those who have access to the passwords and keys to entering and exiting your home.
It isn’t that TPRM programs will always fail, if the strategy does not address the third party gaps, it isn’t a matter of IF but WHEN it will fail.
Reasons for a Third Party Gap
- Lack of a consistent authoritative source for non-employees makes automating and governing access impossible. When faced with this challenge, many organizations try to homegrow, customize an HR, or IGA system with limited success. All of these solutions face significant unforeseen challenges and high costs.
- Lifecycle processes for Non-employees vary greatly. Non-employee populations are often managed differently and the business requirements surrounding each type can vary from one to the other. A one-size fits all approach offered by systems not purpose built to address these issues DOES not work.
- Managing third parties is all about maintaining relationships. Relationships are essential to ensuring identities are managed correctly. A good system for managing third parties should have relationship management at the foundation of the solution. Non-employees have a great number of relationships that are unique; such as a relationship to an internal sponsor, the partner for whom they work, and eventually the access that they might be granted.
- Humanics risk is usually not considered as a factor for granting and governing access. While your organization may evaluate the risk of vendors and partners, it’s usually a red light, green light situation. Once the risk team has evaluated the organization and gives the green light, access is requested and often granted without further consideration.
The bottom line. Most Organizations are good at on- and off-boarding employees. In fact, there is an entire organization (HR) and system of record (HRMS) dedicated to ensuring these processes are maintained and working. When it comes to non-employees there is no one department responsible, which is why organizations struggle with this population and why even the best TPRM strategy will fail when not connected to a well thought out third party identity program.
As the use of third-party vendors expands and evolves, Security’s methods for managing risk must evolve as well. Information security teams should ensure third parties adhere to the company’s security needs (whether that requires a full risk assessment and active monitoring or something with a much lighter touch), while also linking and filling the gaps that exist between TPRM and IAM teams.
There are a few reasons why current efforts at third-party risk management are failing at many companies – and failing expensively at that.
1. Security’s visibility into third parties is declining sharply: With the proliferation of business-led IT purchases, more and more business units are hiring third parties without first consulting assurance functions, such as Information Security and Procurement. Third-party products and services are more numerous, accessible, and attractive than ever to managers whose incentives make them focus on hitting objectives as fast as possible without consideration to risk exposure.
As more members of the business play a greater role in technology, the way information security teams engage must focus on both increased security and impact on business speed and efficiencies.
2. Use of third parties is exploding: Information Security’s resources are already stretched thin, and much of business is becoming more and more reliant on outside vendors. Over half of security leaders now work with at least double the number of third-parties that present information security concerns than they did two years ago.
Given the increasing volume of work and the use of long tail third parties, Information Security must balance investments between the upfront vendor on-boarding stage of third-party risk management and the business and IT security processes needed to properly on- and off-board third party identities. Companies should be able to set conditions based on risk during the on-boarding process before granting access. This will ensure organizations are better managing the risk from partner on-boarding to non-employee off-boarding.
3. Third Party Breaches are increasing: The Ponemon Institute’s 2017 Data Risk in the Third-Party Ecosystem study found that 56% of respondents had been affected by a third-party data breach—up from 49% the previous year. Keeping track of third-party relationships—especially in a large organization—can get very complicated, some of them could easily have 20,000 vendors. Attackers, when they are seeking out targets they want to reach, look to find the weakest link and, often, that’s through those third-party vendors.
4. Regulatory requirements and focus is increasing: Regulators have increased their scrutiny of third-party risks in recent years. Governing bodies have issued official guidance on third-party risk management, prompting information security teams to spend more time on regulatory compliance.
While an increase in regulatory guidance is often a good thing, it has encouraged a “check-the-box” mindset forcing Security to do the bare minimum to meet various regulations without considering the impact on holistic enterprise risk management strategies and goals beyond becoming compliant. This is going to change, we expect to see more regulations such as the NY Cybersecurity Regulation which has required companies to set cybersecurity strategies based on an initial risk assessment rather than a one size fits all strategy.
The Challenge to be Overcome
Companies need to think about Third Party Risk more holistically and not just at the vendor level. Risk should be actionable and conditions should be met in order to grant access. This process ensures that a company not only looks at third party risk at the vendor level but can also manage it down to the identity level. Companies spend a lot of money on employee lifecycle from how they hire to how they grant and govern access, with a whole lot in between. So if companies are investing so heavily in employee lifecycle, including how to protect the organization, then why are companies not doing the same for third parties and the associated non-employees that are being brought into the organization?
Organizations can’t afford to keep ignoring the Third Party Gaps!