Optimizing the Human in Third-Party Risk Management
Published On May 28, 2020
Blog Post by Siobhan Hunter, Vice President of Strategic Solutions at CORL Technologies
Security and risk teams have been overwhelmed by the tsunami of requests for vendor security risk assessments as the digital health movement continues to shift data to third-party platforms. Constraints on human capital and time have never been tighter. Leading organizations are looking for ways to focus their teams on true risk management activities rather than perpetually collecting and formatting risk data.
Information security and risk leaders have turned to technology and automation to help keep pace with this unprecedented demand for third-party security assessments. However, the volume and variety of tech solutions hitting the market has some of our heads spinning trying to make sense of it all.
Solutions available on the market include GRC platforms, cyber risk scoring, survey automation, third-party risk exchanges, and tech-enabled managed services. These offerings are not mutually exclusive and many of the capabilities compliment and support one another.
Here is a rundown of the most common solutions and how leading third-party risk programs are using them to gain maximum value for the business and optimize the investments in the human elements of their programs.
Governance, Risk and Compliance (GRC) Tools
GRC platforms provide excellent vendor risk repository capabilities. They help to create a one-stop-shop for vendor inventories, assessments and results, contractual agreements, and more. Knowing who your vendors are and having a grasp of the full portfolio is critical to an effective third-party risk program. GRC tools provide a great way to clean up your vendor infrastructure and interface with your vendors in an automated way.
GRC solutions, however, are only tools. They do not replace the essential activities required of experienced assessors to perform risk analyses, validate evidence, establish and coordinate remediation with vendors, and interface with the business to make informed risk decisions.
Cyber Risk Scoring Solutions
Cyber risk scoring solutions, often referred to as Continuous Monitoring Solutions, help you keep ongoing tabs on your vendors’ security posture. These platforms look at public-facing risk indicators such as web application vulnerabilities and other factors that can be leading indicators of a vendor’s security maturity.
Cyber risk scoring solutions are most effective when deployed for a subset of prioritized vendors rather than across the entire portfolio. Continuous monitoring of lower-risk vendors can be both costly from a product licensing perspective as well as for the human risk analysis required to review and react to large volumes of monitoring data. Like GRCs, cyber risk scoring solutions are another tool in the kit, but they do not replace the analysis and risk management activities needed to drive value for the business.
Survey Automation Tools
Survey automation tools can help get out of spreadsheet-driven communication models with vendors and can improve response time for initial security questionnaires and assessments. They can help automate the exchange of data and support some “first pass” vendor risk grading.
As with any vendor assessment model, the devil is in the details with responses to automated vendor questionnaires. Third-party risk teams must spend cycles validating the responses and evidence provided from vendors. These tools can get the first step moving, but human eyes and experience are needed do a deep dive on those key controls to evaluate their applicability and effectiveness.
Survey automation solutions can be great for initial assessment results, but you still need the human element to look beyond the initial "yes or no" answers to many key control questions.
Third-Party Risk Exchanges
Third-Party Risk Exchanges are designed to allow vendors and customers to share security risk assessments and information on a centralized platform. The exchanges came on with a bang a few years ago promising vendors with an easy way for vendors and customers to share security risk information about their products and services. Concerns quickly arose, however, around the confidentiality and disclosure of that information including accessing and sharing that information with multiple entities.
Even when exchanges are made available to all parties, many vendors choose not to share the results of the assessments in a broad way. They may share some initial questionnaire responses, but they often want the overall result and findings to be a specific conversation with each customer.
Different organizations also have different risk tolerances. What may be a high risk for one environment may be a medium or low for other programs and organizations. Taking an "off the shelf" questionnaire response may not always work for your specific environment.
As with the other solutions outlined here, exchanges may support some limited data collection but do not replace the deep dive risk analysis and remediation tracking needed to manage risk to an acceptable level for the business.
Tech-Enabled Managed Services
CORL Technologies provides technology-enabled managed services that optimize the interrelation of technology, people, and process to realize vendor security risk reduction at scale. Our team of experts dedicated to third-party risk handles the heavy lifting of data collection, evidence validation and analysis, reporting, monitoring, and management and tracking of vendor remediation activities.
The technology underpinning our services automates workflows that have been fine-tuned as a result of working with over a hundred leading third-party risk programs. The data collected from vendors is integrated with the other technology platforms we have discussed here including GRCs, cyber risk scoring, and other products to maximize value from those capabilities.
We provide the critical mechanism that allows your security program and team to focus on the highest-value risk management activities to support the business. Our security control data on over 65,000 vendors also helps drive efficiencies and cost reduction for your program.
The inundation of vendor security risk assessments for third-party risk teams is unlikely to slow down any time soon. Organizations will need to redirect their human capital away from raw data collection and toward higher-value risk management activities supported by well-defined processes and technology capabilities.