CISO ‘How to’ Without the Bull: Third-Party Risk Management

Welcome to the first of my ‘no bullshit cyber’ blogs, with useful tips for putting cybersecurity into practice. My name is Nick Harris, and I’m the CISO in Residence at Assured.  

These blogs will focus on making a tangible difference in a language the business understands. The points are drawn from experience delivering cybersecurity transformation programmes in multiple industries.  

The first topic I’m going to tackle is third-party risk management.  

Here goes… 

 Third-party risk management, supply chain security, or whatever you want to call it, frequently generates debate. While we recognise the issues, there needs to be more tangible and workable detail on how to solve them.  

Consider the NCSC Breach Report released this year. It states: “Just over one in ten businesses review the risks posed by their immediate suppliers.” The primary conversations centre around the time-consuming nature of this task and how to gain better insights. More advice is needed on how to do this without overcomplicating it.  

For example, the NIST Special Publication 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organisations is 326 pages long, and while is a comprehensive framework, I would argue that little of it is actually tangibly useful for operationalising a third-party risk capability (people, process, and technology) in your organisation. I’ve written this article to explain how to capture the impact, maturity, and ultimately the risk in a meaningful way you can apply in your organisation.  

“Just over one in ten businesses review the risks posed by their immediate suppliers”

Firstly, the closer you are to your procurement team and their due diligence activities for suppliers, the better. Remember that cyber risk, as it relates to suppliers, is only one due diligence element your business needs to consider. Others include contract value, financial due diligence, environmental, social, governance, and ethics. In an ideal world, you’d have a shared risk process, scoring with a common approach across the business.  

Let’s look at using clauses, assessing the risk, then what we do about it. Finally, let’s consider how to use helpful language to your organisation: 

Clauses  

Considering the clauses needed to protect yourself in supplier contracts is essential. Your legal team will know the proper legalese, but also consider: 

• The requirement to notify you of suspected and confirmed issues relating to your data, systems and operations, including via their supply chain
• The need to protect personal details and intellectual property you have shared with them
• The requirement is to give you all your information at the end of the contract and delete any records they have
• Obligations to patch within specific timeframes 

Consider risk impact  

Resilience is about finding the killer suppliers or, in other words, knowing which suppliers would kill your business if they failed. This needs to be your focus. We all know Pareto’s 80:20 rule, but this is more 99:1 – 99% of your time should be spent on 1% of your (business-killing) suppliers. 

“99% of your time should be spent on 1% of your (business-killing) suppliers”

Supply chain security must consider the maturity of the supplier and the risk they pose. I’ll come to this. But first, address the impact issue in collaboration with procurement, operations and legal. I like to categorise them into three simple tiers: 

• Critical: These are your business killers, meaning any single/sole supplier of goods or raw materials critical to your business, with little capacity in the supply chain and could grind your business to a halt if they ceased to supply you; any supplier or partner with privileged access to your IT or with applications running on your IT which, if fail or are compromised, could prevent your business operating for an intolerable amount of time that creates a financial impact.
• High: Suppliers that could cause short-term, tolerable issues, including any supplier hosting customer personal information which, if breached, would cause reputational damage and possible fines (controversially, I don’t find these are critical suppliers as, while the reputational damage would be significant, businesses typically survive.)
• Low: These suppliers have little impact. You might not notice when they stop operating. They deliver low levels of value and are easily replicable.

By having high thresholds of which suppliers are identified as critical, you can have a laser focus on what matters. 

Now think about risk likelihood  

Now that we’ve determined the risk impact, we need to look at likelihood, which means the cyber security maturity of the supplier. You can capture this information with questionnaires, open-source information collection, or secondary sources such as third-party risk management platforms. Depending on the criticality of the supplier, I propose increasing levels of scrutiny. Bearing in mind the scoring above, move through this list as far as is necessary and as far as your resources permit: 

1. Gather information at a publicly available trust centre. If they have ISO27001 or SOC2 available online, don’t send a questionnaire; you’ll waste everyone’s time.
2. Send your questionnaire and make the questions conditional. MS Forms and com allow for this, so it’s pretty easy to implement.
3. Conduct an online search (with ChatGPT if needed) to discover any breaches or customer complaints of disclosed vulnerabilities.
4. Uncover issues on their websites, email and infrastructure using DMARC assessments, SSL labs, Shodan and others. (Or refer to step 6.)
5. Request a penetration test report and associated mitigation plan. Be specific about whether you want a pen test of their product (website, app, etc) or their endpoints and network. The latest SAST or DAST scan report can be useful.
6. Enrol in live monitoring via a third party (BitSight, Security ScoreCard, SafeBase, etc). You don’t need to pay loads as some selected Google Alerts or RSS feeds could give you some of this intelligence, albeit these are a bit noisy. (If you have this practice in place already, it can replace step 4.)
7. Strike a rapport with the supplier and explore any findings from steps 1-6. It’s critical to build a relationship and have regular discussions.
8. Consider a site visit. 
9. Delve into the suppliers’ own suppliers with a similar lens regarding their impacts. Follow this kill chain as far as you can.
10. Collaborative blue team or red team (or purple) tabletop exercises or events are great for building relationships at the analyst level and ensuring the playbooks align. 

Do the maths  

Combine your impact scoring with the information gleaned in the 10 steps above to assign a maturity score to your suppliers. There are three final categories in which to assign your suppliers:  

1. Mature: Well-evidenced and positive responses, no concerning findings, and a well-resourced security programme focussed on data protection.:
2. Moderate controls: No ISO27001 or SOC2 certificate. Some negative answers relate to complementary and supplementary controls.
3. Weak or missing controls: Significant negative answers relating to missing key controls. Unable to demonstrate a security programme. SaaS providers will unlikely fall into this category, but keep an eye out for start-ups and non-technically enabled suppliers.

A great time-saver here is to use ChatGPT by feeding in the questionnaire answers and supporting documents and prompt for a score. 

You’ve got a score. Now what? 

You now have a score where you know critical suppliers with great security and low-value suppliers with low security. This can inform the frequency of repeat touch points (annually, contract renewal, never), whether further and more thorough reviews are needed, and whether supplier security management can be outsourced.

“Managing low-value suppliers with high maturity has little value to add”

Managing low-value suppliers with high maturity is time-consuming. It has little value to add, so consider outsourcing this to a supply chain security as a service partner, with trigger points (e.g. incidents, change of ownership) upon which you’re informed.  

Designing mitigation strategies for your critical suppliers is an essential step here. Any shortfalls in the supplier’s security, such as access to or encryption of your data, need tightening, but you can now work to implement resilience measures.  

Explain the value 

Explaining the value of this capability in the correct language is critical. It justifies that the cybersecurity team is more than just a cost centre and can generate value. The following messages should help you do that:  

• You have worked to uncover suppliers that could significantly impact business operations, procurement, and operations. Now you know who they are and how to treat them.
• You’ve introduced backup suppliers with SLAs, which means you can almost guarantee that any operational loss will be reduced to less than four hours at minimal financial cost.
• You can now demonstrate that you can meet 99.999% availability through the supply chain, making you more attractive to prospective customers.
• The environmental, social, and governance (ESG) teams now know which suppliers engage in carbon footprint, anti-slave trade, due diligence, etc.

Over to you   

I hope this article has given you great foundations to supercharge your supply chain risk capability and add value to your business.  

With any luck, you’ve learned some tips and tricks for supercharging your supply chain risk capability and rapidly adding value to your business. I’d love feedback on what has worked for you and what hasn’t.  

Next month, I’ll be back with the second in this series on cyber risk management. Until then…