We sat down with Sean Cronin, CEO of ProcessUnity, to explore the challenges related to enterprise third-party risk today and in the future.
What are the most unexpected pitfalls for a CISO that wants to strengthen an enterprise third-party risk management program?
Ultimately, you need to understand where your program is today and build a plan to mature it. There are a lot of moving parts in a third-party risk management program. Most companies today are struggling with the work associated with the early phases of a program – the vendor onboarding process, the pre-contract due diligence and then the ongoing monitoring that must occur after a contract is signed. It’s critical to nail these processes first or you’re setting yourself up for failure.
Figure out where you are on the maturity curve first. Do you have an Informal program that’s just getting started? Is your team fighting fires in a reactive mode or have you advanced your processes to a point where you’re more proactive about reducing risk? If you’re already mature and you’re running an optimized program, it’s all about continuous improvement. If you understand the weaknesses and opportunities at your currently maturity level, it makes it easier to put a reasonable plan in place – one that prevents you from trying to take too big of a leap all at once.
Another pitfall is the wildcard that disrupts the proverbial applecart. This year, it’s COVID-19. Organizations are putting their programs on hold because they’re scrambling to reassess their vendors to ensure business continuity during the pandemic. More mature programs build a rapid-response mechanism into their programs, but less mature companies have to drop everything and react as best as possible.
How can an organization transform third-party risk into a competitive advantage?
Before third-party risk management can become a competitive advantage, businesses need to perfect the block-and-tackle basics of third-party risk management. This means having a comprehensive onboarding, due diligence and ongoing monitoring process. Getting those processes effective and efficient allows more time for risk teams to focus on the third-party risk management activities that can drive ROI for the company, including contract management, service-level agreements (SLAs) and performance management.
If your team has more time, they can spend it helping to negotiate better contracts with better financial terms or better services terms – maybe both. Your team will also have access to insights gained during due diligence and ongoing assessments. That data can be used to your advantage during initial negotiations or renewals.
There’s also an opportunity around SLAs. Build a library of SLAs, track where they are being used – on a contract-by-contract or vendor-by-vendor basis and then get your lines-of-business to submit metrics or evidence that results are within acceptable thresholds. Now you have an SLA-enforcement engine. No one wants to collect penalties for a broken promise, but the option is there. You also have the ability to forgo the penalty in exchange for something else – visibility into a product roadmap, input into a new feature, etc. SLAs are an important part of the vendor management process, but many organizations don’t have the time to use them to their advantage.
Finally, managing vendor performance is also a way to get a competitive advantage. If you work with the best vendors, you will get the best service and value. If you can swap out under-performing vendors with better ones over time, your company is going to be in a better place.
Third-party compromise continues to be one of the major drivers of data breaches worldwide. How can organizations make sure that the companies they work with are taking care of their security properly?
Lou Gerstner said it best, “You don’t get what you expect, you get what you inspect.” Hoping that your vendors, suppliers and third parties are just as buttoned-up as your company isn’t enough. The whole point of having a third-party risk program is to systematically assess new and current vendors over time. You need a mixture of self-assessments that the vendors complete and then you need to spot-check your higher-risk vendors with on-site controls assessments – live visits where you ask your vendors to prove they have the proper safeguards in place. It’s work that has to be done – you can’t take their word for it.
Unfortunately, even the best-run third-party risk programs may not be breach-proof – the idea is to prevent as much as possible and make it as hard as possible for a breach to occur.
If you have a strong program in place, you’ll be in a better position to easily understand is what was compromised should a breach occur. For example, in the first hour that a compromise was recognized, it would be great to know exactly what information that vendor owned – patient data, patient records, customer data, customer PII, customer credit cards, etc. A third-party risk management system can help to quickly and easily identify that.
Also, before the breach even happens, the increased due diligence and the periodicity in which organizations continue the evaluation of a third party will continue to drive risk out of that relationship. Ongoing monitoring of a vendor helps organizations better understand what their vendors are and aren’t doing – policies, evidence of specific actions, etc. This develops a dialogue with the vendor to explain why specific actions need to be taken to help drive risk out of both organizations. And that’s how organizations will be able to drive more secure relationships, more secure vendors and more secure providers.
How do you expect risk management strategies to evolve in the next decade? What’s new on the horizon and how can security leaders lay down the groundwork for increased compliance and security?
I was thinking about this a lot while at this year’s RSA Conference. RSAC was very much about the firewalls and the four walls of any corporation, however where security and risk will evolve is an increased importance on third parties. The second an organization puts any data into a third party, that risk is extended and create vulnerabilities that are exponentially worse than what’s within the firewalls or your own four walls.
In third-party risk specifically, we will see more teams incorporate external content into their third-party risk management programs to get a more wholistic view of their vendor population. We will see a rise of utilities and consortiums – where a vendor is assessed once, and multiple organizations can access that assessment. This will allow for a quicker and more streamlined vendor onboarding process. Vendor assessment questionnaires will also continue evolve. Today, we have questionnaires that can self scope based on inherent risk levels and self-score based on a set of preferred responses. This is the start of machine learning and eventually AI for third-party risk.
That’s the next horizon. And it’s exciting because security leaders are seeing the increased importance of that third-party supply chain and vendor ecosystem as part and parcel to their reputational risk and their overall organizational risk.
Security automation, orchestration and response (SOAR) speeds up the incident response process by replacing manual tasks with automated workflows. We sat down with Swimlane CEO Cody Cornell to learn more about the benefits for all organizations.
What are some of the biggest misconceptions when it comes to security orchestration, automation and response (SOAR) solutions?
Automation takes the mountain of daily manual work that’s required to really leverage a full-scale defense-in-depth strategy and makes completing it much more attainable. If each of your security controls is a segment of your overall security strategy, you can’t have one segment be an extremely weak one. As with all things, you are only as strong as your weakest link. Automation allows you to free up time, get to tasks you never could by hand, and have time to focus on strengthening your weakest links.
I think when people think of automation, they think about what it is like when it is completed, how their lives are better, how they reduced the burden on their teams, and how automations makes them more vigilant and capable around the clock. These outcomes are absolutely true, but if you look at other places where automation has made huge impacts in productivity it didn’t happen overnight.
There was no single thing that drove manufacturing automation. But in the end, it revolutionized manufacturing. Security automation is similar. The advantage is that since it is software, iteration can happen more quickly, but value builds over time. As that value builds, you get to a point where you can’t imagine it any other way.
Because of this, there are companies that are much more secure than their peer group, and it’s because of the historical investments and daily decisions they make. They’ve made the investments to make it more difficult for actors to take their information or compromise the services they deliver.
Overworked security operations teams are increasingly leveraging SOAR tools. What can these solutions do in a SOC environment?
All companies deal with overworked security teams in some form or another, but in cybersecurity, this can lead to burnout, which has potentially dire consequences. If a SOAR platform is successful, it’s taking upwards of 80-90% of the highly repetitive work security teams have to do, doing it on their behalf, and managing it in a way that is making their lives better.
With a SOAR tool, organizations can also abandon the exclusive use of ‘prioritization’ as a solution for overloaded employees. A lot of time prioritization is a symptom for lack of capacity, doing the “most” important thing a lot of times means hundreds if not thousands of other important things are being deprioritized.
The reality is, every to-do list item in a security operations center must be completed every day. Investigating alerts ineffectively—or even missing them completely—can result in a costly breach, and the items that are the highest priority, probably started out as a low priority or informational notification that could have been actioned immediately, might have never escalated to your highest priority. Rather than asking employees to prioritize their daily tasks, organizations leveraging SOAR tools are investing in processes and technologies that help their employees complete their work.
By creating a situation where professionals can get their work done, and get it done well, a stronger sense of achievement is generated among personnel, and in the case of cybersecurity, this can help reduce the risk for the entire organization.
What advice would you give to a newly appointed enterprise CISO that wants to take full advantage of what SOAR solutions have to offer?
Acknowledge that the way that we’ve historically done security ops and engineering just isn’t going to work going forward. The whole mindset that we’re going to have a somewhat slowly changing infrastructure, with people-intensive change management processes, that we’re going to update it every once in a while, is gone. If that’s how you’re managing any facet of your enterprise, from endpoints to perimeter, from cloud infrastructure to IoT devices, you’re just plain exposed.
You have to accept that if your infrastructure isn’t already built to be constantly evolving and adapting, you’re behind. You need to be able to digest a constant stream of information, enrich it from a variety of disparate data sources, and use that to make real-time risk assessment decisions that drive the automated update to your security infrastructure. Along with all that, you’ve needed to select, implement and manage your technology stack to support that speed of change in an operational cadence.
When selecting a SOAR technology, organizations should be looking for a single platform with the flexibility to support the broadest set of use cases at the deepest technical levels. Other factors to consider are whether this tool is enabling their people to get more done, and orchestrate more technology, or just providing another case management system where you park some notes, upload some logs, and assign a user.
CISOs should be thinking about SOAR as a platform, not as a tool, and it should be a platform that doesn’t limit what they can interact with. The security solutions in your environment, the intelligence sources at your disposal, the infrastructure your company utilizes is going to be constantly changing, and a lot of times those decisions are not made by the CISO.
Acquisitions, mergers, and partnerships are driven by the business, which will force the security team to adapt and integrate with a whole variety of security apparatus, and you need to be leveraging a platform that supports the largest variety of integration points but also the most diverse set of use cases because what you need today is not what you’ll need tomorrow. And from a planning perspective, you need to try to future proof wherever you can.
How do you see the SOAR market evolve in the next few years?
SOAR as a named category by the analyst community (Gartner/Forrester) was needed to describe an automation solution that organizations could use for security operations, addressing their daily pain points when trying to keep their organizations secure from relentless bad actors. Now the problem is altering the mindset of security teams from thinking about automation as a specific product unto itself and more of a principle of applied automation across every facet of security.
More and more organizations are looking to secure their business by leveraging automation. Automation is not new. We use automation every day in manufacturing, shipping, and other sectors, and we have for decades. The SOAR market will continue to evolve in ways that help organizations apply automation and orchestration to every facet of security.
Rather than thinking about automation as a single product category, we should be taking automation and applying it across an organization’s technology stack, security or otherwise. The types of use cases organizations are implementing with SOAR are evolving as well, including technology integrations for cloud, IoT and DevOps.
In this interview, Mark Sangster, VP & Industry Security Strategist at eSentire, talks about the most pressing issues CISOs are dealing with in today’s fast-paced threat environment.
How has the cybersecurity threat landscape evolved in the past 5 years? What are some of the most notable threats eSentire is seeing that were not an issue in the past?
The past five years have seen significant progress in both the recognition of cybercrime, but also the increase threat posed by organized cyber cartels and nation states. Past attacks were often rudimentary in strategy, uncoordinated, and opportunistic. Consider ransomware attacks for example. Attacks used generic phishing lures posing as streaming services, banking institutions, or travel agencies. These broad and unrefined nets were cast by smash-and-grab criminals, group or nations. Like bobbing plastic waste on the ocean, it snared all levels of the ecosystem from individuals to banks, laws firms and hospitals. Regardless of the duped party, the ransom payment was fixed rate-transactional fee and did not reflect the wherewithal of the victim.
But from this chaos came order. Organized criminal groups realized that cybercrime was more lucrative and less dangerous than traditional physical crime. And this led to both a systematic approach to extortion, but also targeting of more lucrative targets like law firms fearful of reputational damage or hospital petrified of operational disruption and the impact of patient care. Ransom values moved into the five and six figure range, and lures played upon the social and economic factors that drove the target industry.
At the same time, organized crime and nation states found that their wares offered a revenue channel. So, tools once the domain of advanced nations states appeared in the civil black markets. And now, malware and delivery mechanisms such as Emotet are not commodities. It’s a reflection of the fact that criminal business runs using the MBA best practices of their Fortune 500 prey. Why build and develop a payload delivery mechanism, when a perfectly good one is available on the market. It’s the same buy vs build decision businesses make everyday. It’s the commoditization of cyber tools. Commoditization means growth. Low cost opens market opportunities.
Nation states are recalibrating their radar to expose a wider range of targets. Companies are finding themselves the new form of a collateral damage in trade wars. Governments levee tariffs, trade wars heat up, and nations use cyber vengeance to try and equal the economic impact. It’s not felt in factories or ports of entry. It’s now affecting the heartland. Increase tariffs on steel, and opposing nation states steal funds and IP from industry and manufacturers.
What attack methods are cybercriminal organizations using the most? What type of organization is most at risk?
No one is immune to cyber attacks. But specific industries continue to grace the top steps of cyber crime podiums. While banks were once the simple one step connect the dots to profit (banks are where people keep their money), now criminals see other industries as big game.
While the sophistication of attacks increase, it’s more about understanding their target. They understand that what drives a business, what keeps them up at night, and what buttons to press to elicit the desired response. They use phishing lures and often use the firm’s own tools against them by compromising a trusted vendor, or leveraging embedded tools like remote administrative protocols that provide decentralized access to critical network operations.
Most notable are hospitals and healthcare facilities. They are open to the public, suspectable to attack, and hard to defend. As IoT permeates healthcare in forms of connect medical images, IV and patient monitoring systems, hospitals make easy targets. They are soft. And they are fearful of operational disruption. Downtime impacts patient care. It can mean life or death. And they are willing to pay to avoid protracted shutdowns caused by pervasive ransomware attacks. And patient records are valuable and can be used to defraud insurance carriers. What’s more, criminals know hospitals also pay hefty fines when data breaches occur. It’s salt in the wound. So, hospitals will pay to avoid downtime, lost patient billing, and regulatory privacy fines.
Law firms and other business services (accounting, marketing, consulting, etc.) have unparalleled access to critical information and are now a prime target of criminals. Law firms control financial information, intellectual property and other forms of valuable information. They are protective of their reputation and fear the repercussions of public attack. So they pay ransoms.
Manufacturing firms fall victim to fraudulent billing to the tune of billions. Operational disruption is costly. In one case a firm faced the dilemma of shutting down an infected assembly line to the cost of millions. The board elected to wait for a scheduled maintenance window, and suffer the consequence of the resulting cyber attacks in the meantime.
Education, media and entertainment and others have all seen their share of attacks. Once the water hole is discovered, all the predators circle knowing their prey will gather there.
What advice would you give to a CISO that wants to develop a risk management strategy for the long haul?
Security is no longer about ones and zeros. It’s not an IT problem to solve. It’s a business risk problem to manage. CISOs need a seat at the table, and should be consider step zero in a business objective setting process. Does this geographical market incur risk? Does this client bring undo political attention? Does housing medical information increase our obligations? These are business issues to solve, not IT problem to bandage with another firewall or more user awareness training.
CISOs need to be part of the legal group, and muster their equal share in the risk equation. Security needs to align to business objectives, and develop clear line of sight to the Board of Directions. And CISOs need to speak in dollars and cents, and not ones and zeros. They must frame the risk in terms that business people can understand. That’s the way to garner budget and resources. They know the risks, it’s selling the risk to the Board and executives who must understand their obligations as they relate to cybersecurity. There are enough dead roles and companies out there who’s corpses litter the headlines of cyber breaches.
What’s your prediction when it comes to the number and type of data breaches in 2020?
Attacks will continue to move toward high return, hands-on-keyboard attacks. This means simple security controls designed to stop malware and credential harvesting tools won’t keep pace with these tactics. Firms will need to invest in security experts who can go head to head with their criminal adversaries, and defend the fort.
Grey crime will also continue to develop and grow. Tactics used to sway public thinking and sway elections will be used to move the enterprise value of companies. Positively or negatively impacting a stock value means criminals can plant stories, and watch the social network carry their paper boat away on the current, and then buy or sell stock to ‘front run’ the trade with insider information. It will be much harder to detect than the theft of proprietary information, and much harder to stop.
The complexity of targeted crime, constantly changing technology, and the way humans interact creates a petri dish that will accelerate the growth of cybercrime. This concoction can be abused in infinite ways. For more information on cybercrime – including the players, their motivations, their tactics and their targets – check out our latest threat intelligence report.