Third-party risk management is a critical aspect of business operations. With the increasing reliance on third-party vendors, it is essential to understand the risks associated with them.
In episode 6 of our Security Leaders Perspectives series, industry experts Tom Kartanowicz and Lamont Orange discussed various third-party risk concerns and how to manage them effectively.
Treating Third-Party Vendors as an Extension of the Organization
Tom Kartanowicz, Regional CISO, Global Financial Services, emphasized the importance of treating third-party vendors as an extension of the organization. “A third party is an extension of our organization. They’re part of the family, yeah? So, when there’s a problem there, it’s a problem for us as well.” He also highlighted some key risk indicators (KRI’s) for third-party management, such as the number of critical vendors and risk ratings for those vendors.
Understanding Third-Party Vendors and Their Access to the Environment
Lamont Orange, CISO, Netskope, pointed out the need to understand who the third-party vendors are and the type of access they have to the environment. “The largest third-party risk concerns are understanding who these third-parties are that are accessing our data systems, that are working for us as contractors, just what type of access they have and to the environment.” He stressed the importance of visibility and how third-party vendors handle data.
Documenting and Including Vendors in IAM Process during Onboarding and Offboarding
When onboarding or offboarding partners, Kartanowicz suggests documenting everything in a contract and embedding security requirements before the money exchanges hands. He also emphasized the importance of keeping vendors in the identity access management (IAM) process during offboarding. “Your vendors have to be part of that. They’ve got to be part of that process. So, you know, the offboarding you shouldn’t discover six months later when you’re doing an account review that a vendor from a year ago still has access to your Active Directory or whatever.”
Automating and Orchestrating for a Sustainable Third-Party Risk Management Program
To create a sustainable third-party risk management program, Orange recommends automating and orchestrating as much as possible. “I think organizations can build a sustainable third-party risk management program really by looking at how much of this can we automate, how much can we orchestrate?” He also stressed the importance of consistency and modernization. “It needs to be repeatable, it needs to be consistent, it needs to be modern.”
Key Takeaways: Third-Party Risk Management in Business Operations
In summary, third-party risk management is crucial for organizations, and it is essential to understand the risks associated with third-party vendors. By treating third-party vendors as an extension of the organization, ensuring visibility, embedding security requirements in contracts, and automating processes, organizations can create a sustainable third-party risk management program.