CMI #5 - Third-Party Security

Trust reigns supreme in business, and ensuring your company’s data is secure with your third-party vendors has never been more critical. Let’s unpack this complex topic from a product landscape perspective.

Mike P
Mike P

Table of Contents

Terms You Might Hear

  • Supplier Risk Management
  • Third-Party Risk Management
  • Third-Party Vendor Management
  • Vendor Risk Management
  • Vendor Security Management

Why it Matters

  • Third-parties can have impacts on your business, your customers, and your business' reputation.

Problem Statement

  • As a business, you have a core set of capabilities that make you successful. These capabilities give you a competitive advantage - why your customers buy what you offer vs. another company - and make you different from your competitors.
  • Businesses will leverage third-parties for the capabilities that are not core to their business and are outside the scope of what gives them that competitive advantage. Companies have to provide essential pieces of their customer and business data to the third parties to perform a service or function.
  • The exchange of and use of that information is where the risk lies. Third-parties can represent operational, reputation, compliance, financial, and strategic risks to your business. Third-parties can have impacts on your business, your customers, and your reputation. As such, you have to trust that a third-party will take the same level of care as your business would with that same information.
  • Validation comes in the form of processes and procedures. Businesses establish third-party risk processes to evaluate a company from a financial, legal, and technological standpoint. The term “trust, but verify” rings true here.
  • Third-party evaluation processes are a snapshot that only captures a company’s practices, procedures, and risk profile to your business at a given point in time. Most small-to-medium businesses (SMBs) have tens to hundreds of third-party vendors, while larger companies are in the thousands. This volume is hard to solve without an army of people.
  • Relationships and practices with third-parties may be revisited by the business on a 1-3 year review period, depending on the nature of the relationship, but here’s the problem - organizations  evolve. And so too does a third-party’s risk to your business. Evaluations and processes that take weeks-to-months can’t capture that risk correctly.

Market Solutions

Enter the Third-Party Security product market space.

  • Third-party security products can act as a proactive way to assess, quantify, and score potential third-party risk and identify areas for improvement.
  • We can summarize the third-party security product market space into a few sub-categories, and one player can cover just one or both sections:
  • Third-Party Risk Management (TPRM) Platforms - platforms designed to let you see, understand, and manage your third-party vendors’ risk to your business. These platforms are more strategic platforms and help you manage the lifecycle.
  • Security Questionnaire Management Platforms - platforms designed to handle the technical assessment portions of getting engaged with a vendor. These platforms are more tactical and can also help with requests for proposals (RFPs) and requests for information (RFIs) from third-party companies needing to know more about security and privacy practices at a company.

Players in the Space

Third-Party Risk Management Platforms

Security Questionnaire Management Platforms

Product Space Predictions

  • Managing the checks and balances of a third-party vendor security program today at even a moderate-sized organization requires multiple teams from multiple disciplines. As third-party security platforms become ubiquitous, companies will consolidate teams around this technology. Consolidated teams will lead to a different type of end-user.
  • Coordinated monitoring. What’s one big problem with third-parties? You can’t monitor them like they are in your own network space. With the number of cloud breaches that happen each year, expect larger companies to demand monitoring visibility into “areas of high concern.” That third-party S3 bucket with my customer data? I want to monitor if it ever flips to public.
  • Make contract terms “visible.” Data Processing Agreements, confidentiality clauses, subprocessor agreements (4th parties), etc., are all legal terms that are hard to understand outside the legal field. Help business decision-makers understand the implications of what they agree to legally.
  • What’s the Insurance Damage? Cyber risk and cyber liability insurance providers are disconnected from the products in this space. Show me the monetary value associated with any claims I might have to file as a result of a breach.
  • Data privacy regulations are here to stay. Privacy is to cybersecurity today as cybersecurity was to IT 10 years ago. Companies know they need it, but most are not very good at it yet. Add to the complexities that many of the privacy regulations have only been court-tested at larger scales (think Facebook, Google, etc.), there is too much uncertainty. Expect a focus on driving privacy compliance as a better-safe-than-sorry play as larger companies this on all of their third-party suppliers.
  • Containment Partnerships. A short-coming of third-party security platforms today is the ability to respond and contain the damage a third-party incurs that may hurt your own business. What if when word of a breach occurs, containment steps could automatically happen at the Cloud Service Provider (CSP) or Internet Service Provider (ISP) levels to stop the bleeding?

Product Space Opportunities

  • Show me the workflow. Add project and task management and tracking capabilities to the platform. Make it transparent to increase accountability, be consistent on the timing of reviews and deliverables, let people see what’s outstanding on both sides.
  • Leverage distributed ledger technologies (DLT). Use a distributed ledger to increase transparency and auditability. Improve the traceability of data transactions between third parties. DLT will also help with the workflows and accountability.
  • Visualize the Impact. The ability to visualize the blast radius, a way of measuring the total impact of a potential security event, of a vendor to your business operations and supply chain, is what auditors and cyber risk professionals have always been after.
  • Always. Be. Monitoring. ™️ (ABM). Create the ability for automated and continuous monitoring of third-parties instead of just a point in time. Continuous compliance monitoring instead of just point in time. Automated alerting when there are changes.
  • Make it Automated, but with security. Make automation possible on both sides - for the business and the third-party. Automate the requesting of certain evidence artifacts, automate the ingestion evidence requests, and automate the collection of the evidence gathering where possible - especially in cloud environments, this is possible.
  • Create a universal question and answer format. True automation won’t be possible until everyone can speak the same programmatic language for questions, acceptable answers, and acceptable artifacts.
  • Secure in Public. Create the ability for companies to have a managed and externally facing version of their cybersecurity and data privacy programs. Share security program documentation (standards, policies, procedures, etc.) and make the collection and review of your standards public affairs.
  • Step Up Visibility. Take the visibility game a step further still and correlate the types and levels of network connectivity, user accounts, and data usage of a given vendor. Can you imagine if Target could have seen this?

Key Insights

  • Compliance isn’t security, but compliance products always outsell security products. The majority of the players in the issue have received varying investment funding levels, and for a good reason. Much to the chagrin of security professionals, but there is still room for innovation in this space. With new regulations appearing every year, this will continue to be profitable investor space.
  • No company is an island. Engaging with third-parties is a means to scale your business and reach customers you would have otherwise not have reached. This growth comes with a price tag that needs the closest attention.
  • Companies take on monumental, and I would argue, incalculable risks to do business with third-party companies. Try to calculate it anyway. The ability to quantify the risk of a third-party relationship to your company so you can focus on the ones with the highest risk is the goal. Or better yet, in some cases, avoid the relationship at all.
  • Third-party security platforms will allow for scale for both businesses and third-parties alike. Scale will come by way of consistency, automation, and less back and forth. Contracts can get signed quicker, and companies can increase their value sooner. The entire third-party security vendor landscape hinges on achieving this state.
  • With remote work here to stay, fewer on-site third-party security assessments have taken place, but reliance on third-parties is higher than ever. The third-party risk space is due for a reckoning, and the players in this issue are the ones leading the charge and creating unified views.
  • Third-party security attempts to seek out and validate all the tenants of a well-rounded cybersecurity program through a security questionnaire and a few meetings. Rinse and repeat this every 1-3 years. Leveraging a third-party security platform will be a strong complement to an already overtaxed security team. It will let them scale more efficiently, focus on the most significant risks (not just paper risks) and let them work smarter, not harder.
  • Third-party scoring/ratings will become synonymous with stock ticker symbols - ebbing and flowing throughout the days, weeks, months, and years with business changes, mergers and acquisitions, news headlines, industry, and regulatory changes, etc. As a result, market forces will create a clearinghouse effect and will drive self-regulation.

Pro Positions

What type/size/stage company should leverage these platforms?

For TPRM players:

  • Series C and up is where this will likely be the most impactful. You’re more established and have ethical, legal, technological, and risk requirements than smaller companies.

For the Security Questionnaire players:

  • Series A level of funding is a good place to start.
  • Any company that does B2B sales, especially with larger, more established companies, will be hit with third-party security requests early and often. The numbers will only go up as you land more customers.

What makes one of these platforms “good?”

  • People and processes make technology good. Having people who understand third-party risk and understand your technologies is the first step to making good on the platform claims.
  • None of the tools are as automated as they make themselves out to be, at least not initially, but the ones that are focusing on this are doing it right.

Out of the Players listed, who are the top to consider?

If you are a cloud/digital-first business startup:

  • Tugboat Logic - Start here if you also need help setting up a basic security and data privacy program (which is a significant piece of most third-party security questionnaires)
  • RFPIO - when you are small, people ask you all the questions as onboard more customers. Soon you’ll have more questions than you can manage, and these two platforms help with that.

Large Enterprises (Fortune 2000)

  • None of the above will scale effectively by themselves to cover a large program; you’ll need to go custom.
  • Start with the major players BitSight and SecurityScorecard to give you some visibility and build out or supplement your program, but you’ll need a deeper level of diligence.

References

category-report