By Sal Petriello, Director of Integrated Risk Management Strategy at NAVEX
It’s no longer enough to only manage and mitigate the “human risk” of internal employee behavior as organizations increasingly share sensitive data with third-party partners that are critical to their operations and supply chains. Even with limited resources, risk managers have no choice but to ensure their mitigation strategy fully addresses the behavior of individuals beyond their direct oversight – a sprawling ecosystem of third-party organizations sometimes called “the extended enterprise.”
This is no small ask, given that a typical organization uses an average of 5,800 third parties, according to a 2020 report by Ponemon Institute and Cyber GRX. While not every relationship will involve the exchange of sensitive information, it’s easy to see how an under-resourced cybersecurity professional might eye those numbers with a certain level of unease.
Unfortunately, it appears many programs are left wanting for resources. Sixty-two percent of responding cybersecurity professionals said their teams were understaffed in ISACA’s State of Cybersecurity 2022: Global Update on Workforce Efforts, Resources and Cyberoperations report. Sixty percent said their program struggled to retain cybersecurity professionals, and 63 percent said they have unfilled positions.
The result is a dynamic that may be familiar to readers of this article. Aware of risks such as phishing and social engineering, an under-resourced risk manager or team struggling heroically to leverage education, testing, controls and any means necessary to prevent employee behavior that could allow an incident to occur. They may succeed, but can the same be said about their sensitive third-party partners facing similar resource challenges? Who is ensuring that the relationship is receiving proper scrutiny into the future, and when sensitive data is changing hands, what are the consequences of a breach?
What is required in this current dynamic is a holistic approach to managing the human side of information security risk that extends beyond the walls of the business itself. What’s needed is a combination of technology, leadership and strategy that multiplies the effectiveness of programs with limited resources.
Balancing access and security – Zero Trust’s rise
While discussions around information security often trend toward technology, the associated risks are fundamentally a timeless, human problem. Workers, often with no direct connection to risk management, frequently require access to sensitive data, systems and facilities to conduct day-to-day business. In the wrong hands – i.e., a criminal actor or competitor – that access and information could spell trouble.
In a perfect world devoid of malicious actors, organizations could safely allow workers – internal and third parties – unfettered access to needed systems. Yet, this is not reality. Cybersecurity and information risk management’s role is to adjust that activity with the appropriate level of controls to mitigate risk while allowing enough access for the business to continue operating.
The explosion of third-party services and remote workers seen in recent years has made it increasingly challenging for risk managers to throttle access for every single individual in their extended enterprise. This has prompted the rise of “Zero Trust” as a framework for identity and access management, effectively treating all internal and external workers with the same level of suspicion and security.
The concept is not new but continues to pick up steam as organizations face the realities of third-party risk management and a distributed workforce. Created by Forrester Research in 2009, according to Forrester, “Zero Trust is an information security model that denies access to applications and data by default. Threat prevention is achieved by only granting access to networks and workloads utilizing policy informed by continuous, contextual, risk-based verification across users and their associated devices. Zero Trust advocates these three core principles: all entities are untrusted by default, least privilege access is enforced and comprehensive security monitoring is implemented.”
Eighty percent of organizations plan to implement Zero Trust frameworks, according to reporting by VentureBeat. This includes the U.S. federal government, which faces the requirement to implement Zero Trust as part of a wide-ranging executive order to improve national cybersecurity issued in 2021.
Extending training to third parties
Even well-meaning employees can unknowingly make mistakes that lead to a massive breach. This can extend to employees of third parties, and of their third parties – degrees removed from the client organization and less directly under its influence, but potentially holding sensitive information or access to sensitive systems.
Phishing, where an individual with some exploitable connection to an organization’s systems unwittingly clicks on a malicious link often masquerading in a legitimate-looking message, remains one prominent example where a lack of awareness creates a significant risk. Of nearly 500 surveyed security decision-makers who said they experienced a breach in 2022, 22 percent credited phishing as the source, according to Forrester’s Security Survey, 2022, as cited in How to Manage Your Vulnerability Risk Program Amidst Skill and Labor Shortages.
Interestingly in the Forrester report, an even greater share, 26 percent, credited a software supply chain breach for their incident, speaking more broadly to the risks inherent in some third-party dynamics.
While requiring employees of all third-party partners to undergo security awareness training as a prerequisite of doing business is theoretically an option, the practicality of doing so with potentially thousands of suppliers is another matter. It appears this is an area where some organizations have room to improve – forty-three percent of respondents said their organization was either “poor” or “fair” in requiring compliance training and certifications from third parties in NAVEX’s 2022 Definitive Risk & Compliance Benchmark Report, the two lowest performance designations out of five options.
The goal may become more attainable when applied only where needed, however. Consider that not all third-party and supply chain partners will have access to the same level of sensitive data and systems – it may not be necessary to subject every third party, and every third-party employee, to the same levels of training. Making these training requirement decisions based on a weighing of related risks could be the best use of limited resources, which could extend to those within the organization as well.
This is another area where organizations can likely improve. Only 24 percent of respondents said their organization stratifies risk and applies different levels of due diligence to third parties throughout their engagement, according to the NAVEX report. Not surprisingly, cybersecurity was the second-most common topic respondents said their organization planned to train on in the next two to three years, with 69 percent anticipating they would train on the topic, according to the report.
Supporting due diligence with a risk management culture
In some cases, the cybersecurity function has only limited input in assessing risk before the ongoing ownership of a new third party relationship moves into another siloed business function. The third-party may maintain access to sensitive systems into the future, but when it comes to periodically confirming the third party still embodies secure practices, the task may fall off the radar.
This speaks to the importance of an integrated risk management strategy. Functional areas should “talk the same language” when it comes to risk and possess a shared understanding of expectations when it comes to managing risk across the extended enterprise. Software can help this effort by providing a holistic view of risk signal data across business functions and third parties, making it easier to screen and monitor on regular intervals. To maximize the benefits of a solution, all business units should contribute to it and be in lock-step about the importance of due diligence. It is the culture of integrated risk among functional area leaders – the human element – that again plays a fundamental role in success or failure.
While most organizations place ownership of risk integration strategy at the executive level, only four percent of respondents in the NAVEX report said that person held the CISO role. The CISO or other security leader may understand the importance of managing risk across the individuals comprising their extended enterprise, but it may be that their greatest challenge is to gain influence among their fellow leaders to move forward.
The human element endures
Humans remain the single weakest link in the chain for many security programs, and with the proliferation of sharing data and system access among third parties, it has become more important to consider those external workers as contributing to those risks. Zero Trust offers a promising strategy for managing access in this new “extended enterprise,” and along with careful application of training and leadership buy-in, can help address the human element internally and among third parties. Risk leaders might be wise to step back from time to time and consider this fundamental fact – that people, not technology, are often the single biggest risk they face.
Sal Petriello is a senior operations, risk, audit and compliance leader whose career includes experience in the highly regulated sectors of banking and healthcare services. As director of integrated risk management strategy at NAVEX, his thought leadership includes guidance for organizations seeking to mature their approach to risk management.