Back to school time for chief information security officers (CISOs) means one thing: being prepared to explain your cyber risk management strategy to the company board at the upcoming Q3 board meeting. As a key security leader in an organization, you have great insights into the efficacy of the controls in place. CISOs know the number of attacks the organization has experienced and cyber security trends impacting the industry. Therefore, you should come prepared to face the question of how you’re planning to tackle third-party cyber risk.
Third-party cyber risk arises from vendors, partners and suppliers who have access to your sensitive data, system or network, or all. That risk is magnified by a lack of clarity around how they may be protecting your sensitive data. As the original receiver or custodian of the data, it is up to you to ensure specific controls are in place to protect it. That responsibility continues even if you entrust it to someone else. Unfortunately, while most CISOs can recite chapter and verse on their incident response plan, they are often unable to confirm that the vendors they work with have an incident response plan themselves.
Savvy board members are aware of the changing cyber risk landscape and increasingly asking questions of company CISOs. What has caused this shift?
For many, recent news headlines about breaches – like Target, Quest Diagnostics and others impacted due to a third party (or fourth party in some cases) – are unavoidable. Second, cyber security regulations like those from the New York State Department of Financial Services specifically require organizations to have a program that mandates third parties meet specific security controls. This regulation has extra sensitivity for boards, as they must certify that these controls are in place. The Securities and Exchange Commission (SEC) has also released guidance encouraging companies to focus on this, as have other federal regulators. Finally, most boards already have risk or audit committees that consider third-party risks in other areas, so focusing on cyber risk is a natural next step.
Your challenge, as a security leader, is two-fold when it comes to the board. You must not only be able to answer their questions honestly and accurately, but also explain how your organization is evolving to face this risk. It may seem daunting, but the below suggestions can help you have a better conversation with your leadership:
- If you do not have a program for vendor cyber risk management, start one: If you don’t have one already, now is the time to put one in place. You can begin that process by building a formal onboarding process that considers the security posture of the organizations with whom you share data. You can get some ideas from the Legal Vendor Cyber Risk Management guide.
- If you already have a program, build your risk story: Have you prioritized them by the type of data you share or the amount of money you spend on their services? Do you know which controls matter the most to your enterprise or the data regulations you must follow? Sharing how you are thinking about the risk shows the board that you’re taking a prudent and thoughtful approach to this issue.
- Explain what you want to do: Vendor cyber risk management is a new focus for security leaders, so it’s okay if you are in the early stages of a program. You must still have a goal for your program, however. This goal could include moving from a bi-annual assessment process to an annual one or expanding the number of vendors you are assessing to include those you share less-sensitive data with, but who may receive sensitive data one day. This goal provides the board with useful insight into what your priorities are and helps them balance those in light of other business needs.
Preparing for a board meeting can be stressful for anyone, and those in security leadership often face additional challenges explaining technical concepts to a non-technical audience. However, by hitting the books and following the guidance above, you can be ready for the inevitable questions on third-party cyber risk and turn a tough topic into an enlightening conversation for everyone involved.