Competing in an age of AI and rapid innovation requires organizations to think globally, act quickly, and exponentially increase reliance on an ecosystem of third parties. While organizations can delegate their responsibilities to third-party suppliers, the ownership of the risk remains. An organization must have internal controls over the selection and oversight of third parties and share third-party risk to stakeholders. Assessing third parties has become a non-trivial exercise with the advent of artificial intelligence and use of other transformational technologies.

While third parties have adopted IT transformation, many have taken their eyes off TPRM. According to Forrester, survey respondents ranked third party risk at 18^th in enterprise risk at 8%, down from 20% in just a year. [i] North America and Asia Pacific are spearheading this trend, while Europe only dropped 7%. It is neither time to relax nor get stressed out. A simple course correction will do!

Within the Cybersecurity Ecosystem[ii], the Governance, Risk, and Compliance area includes Third-Party Risk Management (TPRM). TPRM manages external entities like vendors, suppliers, and partners that an organization engages with. Within the NIST Cybersecurity Framework (CSF), Supply Chain Risk Management (ID.SC) calls for a five-step process.

1. Owner is assigned and process is defined to manage TPRM program. [iii]
2. Inclusion of applicable suppliers and third-party partners in the program.[iv]
3. Establishment of contracts with providers to meet organizational objectives.[v]
4. Routinely testing providers to assess contractual obligations and identify risks.[vi]
5. Testing response and recovery planning with providers.[vii]

The implicit risk of a third-party is the impact that might result if the third party lacked controls protecting the confidentiality, integrity, and availability (CIA) of the information assets depended upon. TPRM due diligence must vary to the degree of implicit risk in the relationship. The TPRM process in step 1 must establish the criteria for inclusion and the standard for due care.

A few control frameworks exist which clarify supplier controls and evidence criteria. One of the oldest and widely used frameworks is BITS Shared Assessments.[viii] More recently, NIST has published guidance on Cybersecurity Supply Chain Risk Management (C-SCRM).[ix] Note that SCRM covers the entire supply chain – our focus here is the TPRM subset.

Adoption should consider the providers already under contract and new providers being considered. Contracts typically have a term which caps the risk in existing contracts and enables inclusion of the provider into the new process later.

Step 1 must create contract templates preferably aligned to asset value. Step 3 utilizes the template to establish acceptable provider specific contracts. Contract negotiations may remove desired contract clauses. The risks of these changes must be well understood by negotiators.

Many organizations outsource TPRM due to the volume of providers being used and the security skills needed to perform assessments. TPRM is a people-centric process using tools to track the workflow and collect evidence and outcomes. Look for tools supporting Governance, Risk, and Compliance (GRC) within the Cybersecurity Ecosystem. Cyber Buyer has several partners in this space.[x]

---------------------------------

Donald Borsay is an advisor, auditor, and instructor, with over 20 years dedicated to Cybersecurity. Borsay is a thought leader and Security Advisor for Coyote Brown, supporting Cybersecurity program initiation, assessment, and fractional CISO managed services. Borsay has developed TPRM programs and provided TPRM assessments for several organizations. Feedback is welcome at: Donald.borsay@cyberbuyer.io.

Coyote Brown offers Cybersecurity Advisory, Consulting, and Assessment Services, composed of highly experienced strategic cybersecurity advisors and consultants helping clients maintain a healthy cyber security posture.

Tech City Advisors is an IT Service Provider with specialized knowledge of information technology. They have commercial partnerships with over 300 technology vendors, enabling the resale and support to clients on behalf of our vendor partners.

[i] Forrester’s The State Of Enterprise Risk Management, 2023 - https://www.forrester.com/report/the-state-of-enterprise-risk-management-2023/RES179759

[ii] Strategy of Security, The Ecosystem Explained - https://strategyofsecurity.com/cybersecurity-ecosystem/

[iii] CSF Tools – ID.SC-1 - https://csf.tools/reference/nist-cybersecurity-framework/v1-1/id/id-sc/id-sc-1/

[iv] CSF Tools – ID.SC-2 - https://csf.tools/reference/nist-cybersecurity-framework/v1-1/id/id-sc/id-sc-2/

[v] CSF Tools – ID.SC-3 - https://csf.tools/reference/nist-cybersecurity-framework/v1-1/id/id-sc/id-sc-3/

[vi] CSF Tools – ID.SC-4 - https://csf.tools/reference/nist-cybersecurity-framework/v1-1/id/id-sc/id-sc-4/

[vii] CSF Tools – ID.SC-5 - https://csf.tools/reference/nist-cybersecurity-framework/v1-1/id/id-sc/id-sc-5/

[viii] Shared Assessments About - https://sharedassessments.org/about-us/

[ix] NIST Cybersecurity Supply Chain Risk Management C-SCRM - https://csrc.nist.gov/projects/cyber-supply-chain-risk-management#:~:text=This%20ecosystem%20is%20composed%20of,and%20its%20products%20and%20services.

[x] Cyber Buyer GRC Partners - https://www.cyberbuyer.com/suppliers-category/product-type/governance-risk-and-compliance-grc