CISOs are acutely aware of the complexity and threats resulting from the increase in third parties accessing their data, whether it’s suppliers, outsourced providers, contractors or business partners.
Vetting hundreds and possibly thousands of businesses and agreeing and monitoring strict contracts is great in theory but can be very difficult in practice. While there are plenty of ideas, the cyber security profession lacks a comprehensive solution to this conundrum, with all CISOs working to find ways to verify the reliability and continuing security of third parties.
Towards greater trust
As they face the challenges of securing data across multiple parties, CISOs have a number of options.
Tightening up the supply chain
Contracts and compliance are an obvious place to start, with clear guidelines on due diligence before signing a contract, and more controlled and restricted access for third parties, if there’s a concern they can’t meet the required cyber security standards.
Automation also has a role to play, building machine learning and establishing automated risk assessments, which is a good way to manage the scale of the problem, with many companies already facing a backlog of a thousand or more vendor assessments.
There’s a broad acknowledgement that CISOs cannot solve this problem alone, a point emphasized by Greg Day, VP and CISO, EMEA, Palo Alto Networks: “We need to build industry communities to allow data sharing, coordinating at an international level, with more sharing of key cyber threats, rather than just trend analysis.”
Working with a range of stakeholders
There’s no quick fix to the threats inherent in the complex web of relationships that characterize today’s supply chains and outsourcing environment.
Industries like financial services have shown the value of collaboration across a number of common challenges. Working together to share intelligence and knowledge, to learn from others and present a united front, benefits all the players. Philipp Südmeyer, Group CISO, Munich Re, says “A lot is about personal relationships; when you know and trust people, you can talk about x, y and z and build deeper relationships.” This extends to relationships with regulators, to work as a team to proactively manage cyber security issues and defend communities.
In the UK, for instance, the Active Cyber Defence (ACD) program’s stated aim is to ‘Protect the majority of people in the UK from the majority of harm caused by the majority of cyber-attacks the majority of the time’ — a concept that could be applied to broader ecosystems to defend against an increasingly aggressive and sophisticated threat landscape.
A new era of cooperation
Conventional third-party security offers the illusion of confidence. Embedding security into contracts offers limited assurance, while point-in-time assessments don’t give a real-time view of third-party risks — and can become unmanageable as organizations begin to consider fourth, fifth and even sixth party providers. In addition to addressing in-house concerns, CISOs must turn their attention to playing their part in securing the wider ecosystem through collaborative action.
The excerpt was taken from the KPMG Thought Leadership publication entitled From enforcer to influencer: Shaping tomorrow’s security team.