While many organizations navigate the challenges of digital transformation, top CISOs are thinking differently about third-party risk management, which is a source of significant cyber incidents for Fortune 1000 companies, according to a recent RSA Conference survey.
Having encountered the realities of escalating third-party risk, the RSAC Executive Security Action Forum (ESAF), a trusted forum for Fortune 1000 Chief Information Security Officers (CISOs) since 2003, collaborated to produce the RSA Conference CISO Perspectives report, How Top CISOs Are Transforming Third-Party Risk Management. In sharing these findings with the broader community, the RSAC ESAF aims to help all organizations improve the management of cyber risks and inspire action.
The report begins with the assertion that traditional approaches to third-party risk management in information security are ineffective. Attackers have increasingly targeted Fortune 1000 companies through their downline partners, particularly those with less mature security programs. In fact, RSA Conference surveyed 100 Fortune 1000 CISOs and found that 87% of these companies were affected by a significant cyber incident at a third party in the past 12 months.
To that end, the report offers bold new approaches to third-party risk management that go beyond self-assessment questionnaires and cybersecurity ratings. “These include establishing top priority security requirements, setting deadlines to implement controls, adding enforcements to contracts, helping third parties obtain security technologies, delivering security services to third parties, increasing business leaders’ role in managing cyber risks, and building resiliency against third-party incidents.”
While each organization’s tolerance for risk differs greatly, there are universal challenges that transcend sector, such as ransomware and software vulnerabilities, which is in part why traditional approaches to third-party risk management are ineffective. According to the report, traditional approaches do not reduce risk, lack cyber risk context, and lack resiliency strategies.
“This is a problem that spans all sectors; solving it be an industry effort. If we could agree on a core set of controls and standard contract clauses, it would focus the effort areas that most reduce risk. And free up time for suppliers and customers to work on improving security,” said Emma Smith, CISO, Vodafone.
To help the broader community move toward a systemic change, RSAC ESAF CISOs determined that technology vendors can work toward minimizing complexities and reducing costs. Collaboration, education, and access to resources are also key to large-scale improvements.
The report highlights six cross-sector case studies that outline emerging processes and procedures based on these organizations’ direct efforts to reduce the impact of third-party incidents. To learn more, read the Executive Summary and check out the full report including the case studies.
This RSA Conference CISO Perspectives report is the second in the series. The previous report entitled What Top CISOs Include in Updates for the Board is also available for download.