In the second article in our series "Shaping the future of supply chain cyber security", our CEO Haydn Brooks explains some of the inherent flaws with third-party risk management, as currently conducted, and why they cannot be rectified by individual organisations or teams.
In the first article in our series, we explained why supply chain attacks are on the rise, and fast becoming the greatest cyber security threat facing organisations today. In this next article, we will turn our attention to the main shortcomings of third-party risk management (TPRM), and address the question of why, at least in its current form, it has failed to make us more secure.
The article will conclude by arguing that only a more joined up and collaborative approach to TPRM and supply chain risk management more broadly, will make a material difference to hardening our security, and that we need to effectively transcend TPRM and look at supply chain cyber security more holistically.
The conventional method for protecting organisations against fallouts from supply chain attacks has been third-party risk management (TPRM). There are currently 3 main ways of how most TPRM programmes are trying to ensure the security of their third-parties.
At best, such security assessments are being repeated annually to ensure a supplier’s continued compliance with an organisation’s cyber security provisions. But the problem remains the same. This does not provide a continuous insight into suppliers security postures, and does not provide time-sensitive information on when any security control in a supplier has changed. Even repeat assessments remain, at the end of the day, moment-in-time snapshots of the security posture of a given supplier.
Another approach that is common for TPRM programmes to utilise is recourse to shared assurance providers or risk assessment brokers. These providers will offer a managed service in which they compile supplier assessments that clients can then purchase. Although there may be exceptions, these risk assessments are typically static and are not managed or owned directly by the supplier. While this approach offers a more objective approach to assessing third parties as the independent party broker collects and often validates the information, they still remain traditional point-in-time assessments that could be out of date the moment they are completed. They are even more time-intensive and can also be very expensive.
The third, and nowadays a very common type of tool utilised by TPRM teams involves external scanning tools. We will take a closer look at these, since they are widely regarded as allowing for a more continuous monitoring approach to TPRM, which any discussion on the future of direction supply chain security has to take, are often centred on.
External scanning tools or vulnerability scanners are tools that allow companies to quickly understand the security strength of public-facing systems belonging to a company that they are potentially going to work with. They are usually run automatically and highlight any potential vulnerabilities in public IP addresses, domains or other externally facing services. The tools scan the outer perimeter of a supplier’s digital infrastructure, allowing TPRM teams to understand what systems their suppliers are using, the services they are running and alert them to potential vulnerabilities. The scanners then check a list of known vulnerabilities related to the aforementioned systems. This information is compiled into a report which can tell an organisation where an attacker might look to exploit an external vulnerability to gain an initial entry.
Scanning tools are a great (although more expensive) plug and play solution that allows organisations to quickly gain a light understanding of an external attacker’s view of their supply chain partners’ systems. But as they can only check external systems, they provide no insights into the internal security posture of a supplier. In addition, the tools often return many false positives, resulting in substantial manual effort for the end-user to tidy up the reports into something meaningful. Most dangerously, results from scanning tools can often give a false sense of security - a perfect picture of an organisation that appears to have no issues, when in fact, a simple phishing email could lead to total compromise of their internal systems.
We have already touched on the main problems with each of these approaches. To briefly recap, questionnaires are highly time-consuming and resource-intensive for both suppliers and the TPRM teams at their clients, and only provide a point-in-time snapshot of a suppliers’ security controls. Using shared assurance providers is very costly and presents the same problem as with in-house questionnaires in that they are only providing a momentary snapshot of a supplier’s security posture. External scanning tools, while often very popular, can only scan externally-facing systems and not for internal procedures and security weaknesses that could pose a threat to a supplier’s clients when exploited, and they also produce many false positives.
But there are also more general and fundamental problems with the current approach to TPRM that are worth pointing out.
Right now, people need to tick their TPRM box. They need to demonstrate to their boards and regulators that they are doing their job when it comes to assessing the security of suppliers. But the way this is done at the moment is not actually helping anyone. TPRM is too often treated as a governance and compliance exercise. The overall goal then becomes to demonstrate that we provide adequate assurance rather than pursuing the fundamental objective of reducing security risks.
It means that people don't see it as constructive and valuable, creating a vicious cycle in which, because people see it as a necessity for compliance, they don't put the required effort into it, which means the value depreciates. We need to break free from that vicious cycle and take a different approach to make it more effective and reduce the challenges.
Another major problem with TPRM is that there is no commonly accepted standard for conducting third-party risk assessments, so most organisations tend to develop their own tailored questionnaires, as already explained. This means suppliers frequently have to complete different questionnaires for every single client they work with, presenting a major burden to suppliers and increasing the chance of suppliers not taking their assessments seriously.
The non-existence of a generally accepted standard for TPRM also means that there is no single point of truth that would allow us to compare risks in our supply chains and security assessments to obtain useful benchmarking data. Finally, this lack of a common standard is one of the principal factors that impedes greater collaboration and burden sharing between organisations, but more on this in the next article in this series.
As our corporate supply chains are ballooning in size, it has become almost impossible for individual security teams to assure the security of each supplier individually and continuously on their own. The lack of a standardised assessment framework as well as regulatory concerns and business competition, however, among other factors, hinder greater collaboration between the security teams of different organisations, and between organisations and their suppliers. This is the fundamental problem that Risk Ledger has set out to address, but more on this in the next article in this series. But it should be clear that this lack of collaboration leads to a lot of duplicated work between organisations and prevents a more scalable and resource-efficient approach to TPRM.
Another big challenge that TPRM teams are typically facing is that supplier assessments are usually conducted during the tender or onboarding stages of a supplier contract lifecycle, where the main points of contact at suppliers are typically members of their procurement and sales teams. This means that they coordinate the internal security due diligence requested by their clients, and means that the security teams of the organisation onboarding this supplier don’t build relationships with the security teams at their suppliers, which are not just key during the assessment phase, but even more important in the event of a security incident.
As we have already pointed out in the last article, threats can appear anywhere in our vast extended ecosystem of supply chain relationships, far beyond third-parties, in 4th, 5th and nth parties. Assuring the security of direct suppliers is thus no longer enough. But organisations have no easy way to achieve visibility into risks beyond their third-parties. However, understanding the risks in the wider supply chain ecosystem is a prerequisite for enhanced supply chain security.
This all means there are fundamental problems for any organisation trying to secure its supply chain. Current TPRM methods make it next to impossible to assure all individual suppliers of an organisation at scale, or to continuously monitor their security status.
Having established the main problems that exist with third-party and wider supply chain risk management as they are approached today, in our next article in the series we will focus on how to approach TPRM differently through enhanced collaboration, information sharing and by adopting a collective security approach that we have termed Defend-as-One. We contend that one of the most glaring shortcomings of TPRM and cyber security in general these days is that it is mostly conducted in silos. So breaking open these silos and adopting a new methodology and culture of collaboration and collective defence is a necessary first step in our vision of revolutionising supply chain security in a world at risk.
So keep a lookout for the next article in the series on our website www.riskledger.com, or subscribe via the link below to get all articles in the series delivered straight to your inbox, as well as receive the final white paper at the end of this series that will include additional case studies from our work with our partners, setting out how we strive to create a future of Defend-as-One, where peers and their suppliers come together to collaboratively secure their supply chains and strengthen their combined security.
Get our article in the series delivered straight to your inbox. You can sign up here:
riskledger.com/promoted/the-future-of-tprm
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.
