- Recent software supply chain compromises are drawing attention to the need for companies to reevaluate their technology partners and services. But developing a vendor risk management program can span several months to take shape, according to Jerry Bessette, SVP of Booz Allen Hamilton's Cyber Incident Response Program, during a webcast hosted by Seyfarth Shaw LLP last week.
- The process for a company to establish a risk management program depends on how many vendors it relies on, said Bessette. And the programs, ongoing endeavors, will demand maintenance for every new vendor added to a network.
- Companies need to have standardized processes for vendors as well as other connections they have with partner organizations. Companies that may have never considered hiring a process engineer should reevaluate when developing a third-party oversight program, said Kate Fazzini, CEO of Flore Albo, during the panel.
Third-party risk management aims to mitigate, if not solve, the risks of inviting outside parties into a network. Whether it is a business partner, a vendor, or a technology, risk remains as long as the third party does.
Third-party risk management programs are driven by governance, said Chris Cummiskey, CEO of Cummiskey Strategic Solutions, during the panel. "And then it needs to be enforced."
If companies onboard a vendor, they need to ask their new partner to fill out a questionnaire, which the risk management program can review and further question. According to SecurityScorecard, questions include:
- Does a vendor collect or store personally identifiable information?
- Does the vendor monitor its devices connected to systems and software?
- Does a company use antimalware or firewall technologies?
Even with the results from questionnaires, "you need to have them verify it, and potentially produce independent third-party test results that they have tested whatever product they're providing you," said Cummiskey. "You probably should go out and hire someone to test it yourself."
Questionnaires alone do not complete a risk management program. Because of how sophisticated the SolarWinds attack was, the vulnerability bypassed questions typically asked. The attack on SolarWinds' Orion targeted "something that the company considered its most valuable asset," said Fazzini. The attack was a direct hit on SolarWinds' value proposition.
Companies want to ensure their vendors are putting the most protections in place for their most important product and service. SolarWinds' customers have not forgiven the company after the product it's known for became an adversarial tool, according to Fazzini. The company's stocks remain under its pre-cyberattack levels behind where it was a year ago.
Customers will look at what their vendors do post-incident. "You need people in the boardroom that understand these issues, the board has to be organized effectively," said Robert Zukis, CEO of Digital Directors Network, during the panel. SolarWinds' risk factor disclosures "weren't bad," as they included nation states and third parties. However, the company did not mention "systemic risk," said Zukis.
The company had "some of the parts described, but they weren't really viewing risk management as a system that they were responsible for," said Zukis. Essentially, the company did not recognize how its tools could introduce risk to the broader digital ecosystem.
The turmoil of the hack is pressuring the federal government to take more regulatory action against technology companies that do not live up to a certain standard of risk management. Likewise, companies have to recognize the role their risk management program plays in "Nth party risk."