Standards and frameworks that grade organisational risk maturity are useful but IT leaders need to exercise due care and attention says Tom Ascroft, CISO, Unit4. 

Third-party assurance is now being mandated by incoming compliance regulations such as NIS2 and doing so has many obvious benefits as organisations grapple with the ever-shifting landscape of cybersecurity risks.  

If resources are stretched in house, being able to turn to an external expert to assess risk maturity can be time saving, reassuring and a valuable way to derive an outside-in perspective.

But smart CIOs and CISOs need to put guardrails in place to get the most from their investments and to understand the true nature of risks in context.   

What is third-party assurance?

Effectively, the new requirement is an attempt to ensure that the extent to which suppliers are implementing security controls to establish how safe they are for the user organisation.

Many readers will have seen the requirement in the context of standards and frameworks like ISO27001, which is widely deployed in Europe, NIST and is more popular in North America.

Both suggest that companies map their third-parties’ activities and digital supply chains to establish risks and vulnerabilities but, as we shall see, they are far from being universally used.   

How’s your appetite?  

One reason why third-party assurance can be challenging comes at the very beginning of the process: it’s that organisations will inevitably have varying appetites for risk.

Heavily regulated sectors such as finance, pharmaceuticals and those that manage sensitive user data will tend to be significantly more risk-averse than others and a third-party may see things differently, so a set of rules or judgments can’t apply to all.  

Another issue is that many organisations simply don’t have a formal policy or statement on their risk tolerance.

Without such a statement it is close to impossible to apply logical thinking about where to invest in risk management and how much time, attention, staffing and budget should be deployed.  

Other issues are that organisations are often complex phenomena, so understanding security risk cannot be a holistic, one-size-fits-all affair.

Departments or zones within the organisation will often have very different risk tolerances.  

Even for those that have addressed risk tolerance diligently and documented their thinking, there are challenges.

Many IT security leaders will use standard questionnaires as templates to assess their maturity: the Cloud Alliance Security Consensus Assessment Initiative Questionnaire (CAIQ) has risen in popularity with cloud apps and platforms, for example, and can be a useful lever.  

However, it depends on binary responses and their level of understanding towards risk and maturity, which demands reasoned contextual responses – which many third-parties will not provide.  

Again, not all assessments are of the same value.

Querying a supplier of a commodity tool that doesn’t go near personal information, or regulated information may not be necessary, so it’s sensible to consider how much value a supplier brings to the organisation and calibrate the value/risk ratio accordingly.   

The A/B, Yes/No questionnaire model can lead to some odd consequences.

For example, role-based access control is undoubtedly a valuable aspect of security, but some scorecards will reward vendors that have dozens of potential roles listed even though for many software programs having so many options would be unnecessary.  

So, these can be useful tools to analyse issues, but they are far from foolproof.  

Using sense and inference at Unit4

Understanding risk isn’t easy.

Often the IT leader needs to do some detective work, inferring potential risks rather than relying on a generic number or grade rating.  

Smart CIOs and CISOs need to stay on top of the latest intelligence and risks, read relevant reports, understand the data regulatory landscape and ask germane questions of their suppliers on many areas such as data loss prevention, access control, etc.

But be realistic: most software companies will only have so much time to help so seek out publicly available information from websites and only ask questions that are relevant and germane. 

Ultimately, no organisation is perfectly secure. Business is a risky business and a real belt-and-braces approach seeking minimal risk would lead to very limited scope for creativity and innovation.

To defend themselves, IT leaders and their cohorts need to retain a range of options from scanning the threatscape for changing attack vectors, predicting the impacts of internal or market changes, sharing knowledge with peers, maintaining a working knowledge of the regulatory landscape, communicating risks to employees and pursuing red-team and penetration testing simulations of attacks.   

Third-party assurance is useful, but it needs to be associated with an understanding first of what risk profile the organisation has and, second, with antennae fully alert to the limitations of likely responses.

As the professional membership group ISACA has noted: “To maintain appropriate control over suppliers, it is important to test suppliers. The more that is done to mitigate risk, the less likely risk will arise.”  

So, have a risk appetite statement and review it regularly, establish what is important to your organisation, understand the level of information you need from third parties and match the level of dependence on the supplier to the depth of knowledge you need.   

This article was originally published in the November Edition of Security Journal UK. To read your FREE digital edition, click here.