If you have a third-party cyber risk program, you know that one of the most challenging discussions you will have with your stakeholders is “what questions will we ask?” It is often quicker and easier to say, “what questions will we not ask” our third parties, as the list of questions that everyone wants to ask grows longer and longer. Having a long, or short, list of questions is not a bad thing in and of itself, but the process of identifying, arranging and ultimately processing the questions should be the result of a well thought out process.
When deciding on the questions to ask, keeping the downstream implications in mind is critical for success. While you can and should engage your third parties in a continual conversation, you often only get a select few chances to ask questions of third parties, so you need to make sure you are asking the right questions. But, how do you decide what the “right” questions are?
Ideally, there should be a good discussion amongst all relevant stakeholders. This conversation should focus less on the exact wording of each question, but more on the controls that you need your third parties to have in place. These controls could be policy controls such as having an information security policy, or technical controls such as having multi-factor authentication. These controls are often dictated by the regulations or laws that govern the protected data that your organization is entrusted with, such as the New York State Department of Financial Services (NYS DFS) or California Consumer Privacy Act (CCPA).
It is essential to avoid the “Everything but the kitchen sink” mentality and keep the list of controls you want to measure to an appropriate size. While it may seem crucial to measure every control, as we discussed in a previous blog post, having a proper list of controls will limit friction with both internal stakeholders and external third parties. While many organizations have a list of corporate controls that they expect everyone with access to protected information to follow, if you do not have one in place (or it is not appropriate for third parties to follow), it is highly recommended that you consider basing your controls selection on a standard or framework such as NIST Cyber Security Framework or the CIS Controls. By aligning with a publicly available cyber security standard or framework, the controls you measure will be more transparent, it will be more accessible for your third parties to find guidance materials on how to respond and you will have a stronger position when you engage with them on discussions on the questions. A third-party cyber risk assessment is sometimes a negotiation, and your negotiation position is much stronger when you base your controls and questions on the work of the U.S. government or other standard-setting bodies others.
As you can see, developing a list of questions itself is a negotiation process. You will need to negotiate with internal stakeholders on what controls genuinely matter and what is required. You will have to negotiate with third parties, and relying on a standard will ensure that your selection of controls and questions will be more understandable to those being assessed. Ultimately, the goal of any third-party cyber risk program is having a strong third-party cyber ecosystem, and the right questions and controls are foundational to that goal.